North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Customer-facing ACLs

  • From: Adrian Chadd
  • Date: Wed Mar 19 00:37:30 2008

On Tue, Mar 18, 2008, Jon Lewis wrote:

> >The solution, of course, is to hire consultants (SIBR if possible) to port 
> >everything to port 80 !
> 
> That's been going on for years.  Back when it was common for ISPs to run 
> squid servers and transparently proxy to them (probably around 2000), I 
> ran into a customer using some sort of aviation data in real time app 
> which used port 80 (and wasn't HTTP).  I had to special case traffic to 
> that service's IP to get it not to hit squid.  When I asked them why they 
> were running a non-HTTP protocol on 80/tcp, the answer was "that gets us 
> through most firewalls."

There's patches to Squid to make it silently transparently proxy stuff
that doesn't look like HTTP.

(I need to make it knob-able before I commit it, as some people -like- having
the "must be HTTP" implication of transparent interception.)



Adrian