List Info

Thread: Re: Customer-facing ACLs
Re: Customer-facing ACLs
country flaguser name
United States		 2008-03-18 22:47:41 
On Tue, 18 Mar 2008, Marshall Eubanks wrote:

>> If it becomes normal for home users to only have 80
and 443, then how can I 
>> innovate and design something that needs a new
protocol ?  What happens to 
>> the new voice and video services for example ?
>
> The DOD has already been faced with this (I know of
some AFB that have 
> instituted this policy).
>
> The solution, of course, is to hire consultants (SIBR
if possible) to port 
> everything to port 80 !

That's been going on for years.  Back when it was common for
ISPs to run 
squid servers and transparently proxy to them (probably
around 2000), I 
ran into a customer using some sort of aviation data in real
time app 
which used port 80 (and wasn't HTTP).  I had to special case
traffic to 
that service's IP to get it not to hit squid.  When I asked
them why they 
were running a non-HTTP protocol on 80/tcp, the answer was
"that gets us 
through most firewalls."

------------------------------------------------------------
----------
  Jon Lewis                   |  I route
  Senior Network Engineer     |  therefore you are
  Atlantic Net                |
_________ http://www.lewis.org
/~jlewis/pgp for PGP public key_________
Re: Customer-facing ACLs
country flaguser name
Australia		 2008-03-18 23:46:20 
On Tue, Mar 18, 2008, Jon Lewis wrote:

> >The solution, of course, is to hire consultants
(SIBR if possible) to port 
> >everything to port 80 !
> 
> That's been going on for years.  Back when it was
common for ISPs to run 
> squid servers and transparently proxy to them (probably
around 2000), I 
> ran into a customer using some sort of aviation data in
real time app 
> which used port 80 (and wasn't HTTP).  I had to special
case traffic to 
> that service's IP to get it not to hit squid.  When I
asked them why they 
> were running a non-HTTP protocol on 80/tcp, the answer
was "that gets us 
> through most firewalls."

There's patches to Squid to make it silently transparently
proxy stuff
that doesn't look like HTTP.

(I need to make it knob-able before I commit it, as some
people -like- having
the "must be HTTP" implication of transparent
interception.)



Adrian
[1-2]

about | contact  Other archives ( Real Estate discussion Medical topics )