[103149] in North American Network Operators' Group
Re: Customer-facing ACLs
daemon@ATHENA.MIT.EDU (Adrian Chadd)
Wed Mar 19 00:32:55 2008
Date: Wed, 19 Mar 2008 13:46:20 +0900
From: Adrian Chadd <adrian@creative.net.au>
To: Jon Lewis <jlewis@lewis.org>
Cc: Marshall Eubanks <tme@multicasttech.com>, nanog@merit.edu
In-Reply-To: <Pine.LNX.4.61.0803182343460.3306@soloth.lewis.org>
Errors-To: owner-nanog@merit.edu
On Tue, Mar 18, 2008, Jon Lewis wrote:
> >The solution, of course, is to hire consultants (SIBR if possible) to port
> >everything to port 80 !
>
> That's been going on for years. Back when it was common for ISPs to run
> squid servers and transparently proxy to them (probably around 2000), I
> ran into a customer using some sort of aviation data in real time app
> which used port 80 (and wasn't HTTP). I had to special case traffic to
> that service's IP to get it not to hit squid. When I asked them why they
> were running a non-HTTP protocol on 80/tcp, the answer was "that gets us
> through most firewalls."
There's patches to Squid to make it silently transparently proxy stuff
that doesn't look like HTTP.
(I need to make it knob-able before I commit it, as some people -like- having
the "must be HTTP" implication of transparent interception.)
Adrian
