Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Opening IP Excluded Ports In Windows

I was having some real problems with CLI's not being able to open local ports to perform tasks that communicate with cloud services. In the current case, whenever I tried to authorize a Salesforce Org for use with the sfdx cli, I was getting an access permissions error:

$ sf login org -l https://test.salesforce.com Error: listen EACCES: permission denied 127.0.0.1:1717 at Server.setupListenHandle [as _listen2] (net.js:1303:21) at listenInCluster (net.js:1368:12) at GetAddrInfoReqWrap.doListen [as callback] (net.js:1505:7) at GetAddrInfoReqWrap.onlookup [as oncomplete] (dns.js:71:8) { code: 'EACCES', errno: -4092, syscall: 'listen', address: '127.0.0.1', port: 1717 }

It turns out this is the local port used during OAuth transactions. I could have changed the port with variable in my sfdx-project.json file by adding:

"oauthLocalPort": "1771",

where the port would be some port not currently being used or reserved by an application. when I ran:

netsh int ip show excludedportrange protocol=tcp

There were several 100 port blocks being reserved by something. At first I thought it was WSL or Docker but those reserved ports tend to be above 50000.

Finally I found this: https://stackoverflow.com/questions/54010365/how-to-see-what-is-reserving-ephemeral-port-ranges-on-windows

When I stopped the winnat service (Windows Nat) all of those blocks of 100 excluded reports were removed from the list. So I:

net stop winnat netsh int ipv4 add excludedportrange protocol=tcp startport=1717 numberofports=1 net start winnat

Now when I run:

`# netsh interface ipv4 show excludedportrange protocol=tcp

Protocol tcp Port Exclusion Ranges

Start Port End Port


    80          80
  1717        1717     *
  5357        5357
  5700        5700
  8884        8884
 50000       50059     *
    • Administered port exclusions.`

This will keep this port from being blocked by winnat and other apps that preemptively reserve ports by excluding them.

Also see this rather good article on Salesforce Stack Exchange: https://salesforce.stackexchange.com/questions/295627/sfdx-authorize-an-org-error-listen-eacces-permission-denied-127-0-0-11717

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment