×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

How to Work Around Broken Port-80 Routing?

michael posted about 12 years ago | from the service-road dept.

The Internet 326

Dr. Zowie writes "My ISP places an opaque (intended to be transparent) web proxy between me and the rest of the world. It is causing me problems due to misconfiguration or misdesign. My question is twofold. On the micro level, what can I do in the short term to work around the broken routing (in the long term, I switch ISPs if it's not fixed)? On the macro level, what can we as a community do to prevent breakage of the net on a global scale by poorly designed routing hacks?"

Dr. Zowie continues: "I use a regional ISP with otherwise-very-good policies. However, they seem to be intercepting anything that comes from my home net on port 80, so that they can ``transparently'' cache web requests based on the payload of those packets. The proxy seems to work rather well in most cases: I never noticed it until I started using OpenNIC. Then I found that some web pages that should have resolved OK through the OpenNIC system failed even though routing on different ports worked OK.

"I did some experimentation using ``telnet'' on port 80 directly, and found that packets are being routed based only on the payload regardless of the original destination address: I can (for example) retrieve the Slashdot front page by using ``telnet www.google.com 80'' and asking for "http://www.slashdot.org http/1.1". The tech support folks seem to be stonewalling me: the main contact tells me that the behavior is "not broken" even though it clearly violates RFC 1812, the standard set of rules for IP routing.

"The practice of ``transparent'' proxy routing seems to be growing more widespread. It appears to break the internet standard in a way that works for most folks for now, but that breaks port 80 usage in general. Looking ahead, this breakage seems like a growing nightmare waiting to happen. At the very least, I expect more instances of my particular problem to appear as folks give up on the corporate hegemony of ICANN. More insidiously, transparent proxy routers break the layered nature of the internet protocol and restrict the flexibility that made it work in the first place. One would hope that such proxies would at least act like routers when the fancier proxying fails, but at least my ISP's doesn't. What about your ISP's?"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

326 comments

Here is the NSLookup output (-1, Offtopic)

Anonymous Coward | about 12 years ago | (#3213631)

Here is the NSLookup output:

Server: ool-182d9f03.dyn.optonline.net
Address: 24.45.159.3

Non-authoritative answer:
goatse.cx internet address = 209.242.124.241
goatse.cx preference = 10, mail exchanger = mail.goatse.cx
goatse.cx preference = 20, mail exchanger = mail2.goatse.cx
goatse.cx nameserver = ns.goatse.cx
goatse.cx nameserver = ns2.goatse.cx
goatse.cx nameserver = ns3.goatse.cx
goatse.cx nameserver = ns4.goatse.cx
goatse.cx text = "please visit http://www.goatse.cx"
goatse.cx
origin = ns.goatse.cx
mail addr = hostmaster.goatse.cx
serial = 1999021735
refresh = 10800 (3H)
retry = 3600 (1H)
expire = 2419200 (4W)
minimum ttl = 10800 (3H)

Authoritative answers can be found from:
mail.goatse.cx internet address = 24.45.159.3
mail2.goatse.cx internet address = 64.252.191.216
ns.goatse.cx internet address = 24.45.159.3
ns2.goatse.cx internet address = 64.252.191.216
ns3.goatse.cx internet address = 208.44.85.51
ns4.goatse.cx internet address = 24.228.43.13

They are using name based virtual hosting so you need to find the path to the virtual host - which they have so nicely setup. This IP address takes you to none other than hick.org! So, if you do the following:

http://209.242.124.241/goat/

you will get to your favorite picture. Thus, you won't be able to simply replace the IP address because you need a URL to get to the picture.

Enjoy.

Use netcat... (4, Informative)

samrolken (246301) | about 12 years ago | (#3213635)

You can use netcat to route your own port 80 traffic. Simply get a good UNIX shell account, and configure your router to direct to that. It becomes a real version of what you would be trying to do. However, I would bitch like crazy if my ISP did anything like that to me. If I want to connect to port 80 on something, I would want to be connecting to such port 80. Any fiddling with it would sure make me drop that ISP in an instant.

Re:Use netcat... or your own proxy server... (2, Informative)

samrolken (246301) | about 12 years ago | (#3213648)

Or, you could use your own proxy server, like Squid for UNIX or AnalogX Proxy for Win32. You might try something like the port + 65536 rule. Port 80 becomes port 65616 or something (That may not be precise), and that would confuse your router, but still be port 80. I used a similar trick to get around similar proxying at school.

Re:Use netcat... or your own proxy server... (0)

Anonymous Coward | about 12 years ago | (#3213681)

How's running your own proxy supposed to help? The connection to the server on the other side is to port 80, so it will be channeled through whatever proxy his ISP has in place, no matter if it's coming from your webbrowser or your proxy. Besides, while that would be against every convention, port 80 could be used for something very different from http, in which case any web proxy would break it.

Re:Use netcat... or your own proxy server... (2, Insightful)

samrolken (246301) | about 12 years ago | (#3213698)

that's why I suggested adding 80 to 2^16 and setting your proxy to connect at that port. It's the same port, the auto-proxy-router thing just wouldn't see it as such.

Re:Use netcat... or your own proxy server... (2, Informative)

Anonymous Coward | about 12 years ago | (#3213726)

That requires an external box, like the shell account the original comment mentioned. If you have that, you could use some more advanced schemes like routing only the SYN-packets for port 80 through your external account. This way you wouldn't cause three times the traffic like you do with a proxy (your connection plus twice the external connection).

Re:Use netcat... or your own proxy server... (3, Insightful)

khuber (5664) | about 12 years ago | (#3213742)

You might try something like the port + 65536 rule.

How could a number outside 16 bits make it to a router since TCP only holds 16 bits for ports? If you wrap around to 80, you have 80, not 65616.

-Kevin

Re:Use netcat... or someone else's proxy server (4, Informative)

samrolken (246301) | about 12 years ago | (#3213665)

I should have posted all this in one comment... oh well...

You could also use a third party proxy server. You can find gobs of them here:

http://tools.rosinstrument.com/proxy/

and here:

http://directory.google.com/Top/Computers/Intern et /Proxies/Free/?tc=1

Re:Use netcat... or someone else's proxy server (1)

zaffir (546764) | about 12 years ago | (#3213825)

Again, before his packets get ANYWHERE, they have to go through that proxy his ISP is running. Setting another proxy would just be sending him through two.

Re:Use netcat... or someone else's proxy server (0)

Anonymous Coward | about 12 years ago | (#3213868)

No, most proxies listen on ports 8000 or 8080. Very few listen on port 80 and you don't need to use these. The transparent proxy decides that it wants to intercept the connection by looking at the destination port.

Re:Use netcat... or someone else's proxy server (0)

malachai (62092) | about 12 years ago | (#3213896)

But ports other then 80 arent messed with at his isp, so using someone elses proxy not on port 80 would help

Tunneling (3, Interesting)

Matthaeus (156071) | about 12 years ago | (#3213651)

I recently had this problem with my university account...They route all resnet web traffic through an old 386 proxy server that can't handle the load. Find a free proxy out there and SSH tunnel to it. I'm sure there are more elegant means of getting through a poorly configured proxy, but this'll work as a quick fix.

The proper policy (0)

Anonymous Coward | about 12 years ago | (#3213652)

The proper policy for an isp should be using an optional proxy.

That's how my connection works, and it works just beautifully - since I can set it to use the proxy for some sites, but not other :)

Perfect for all uses. and the average user has no idea :)

first post? (-1, Offtopic)

Anonymous Coward | about 12 years ago | (#3213653)

Den Pussy einer Frau zu essen ist über die wundervollste Sache, die Sie für sie tun können. Es bildet ihr Gefühl liebte, bewundert, reizvoll, und selbstverständlich bildet es sie mit wie verrücktem. Viele Frauen bevorzugen es gegenüber Verkehr, und für die meisten, ist es die einfachste Weise zu mit mit einem Mann. Sie können das wenigste dick auf dem Planeten haben, aber, wenn Sie großen Kopf geben, werden Sie als fabelhafter Geliebter geschätzt. Ja ist er wichtiger der. Außerdem erwarten Lose Frauen ihn diese Tage - Sie konnten außerdem wissen, was Sie tun.

Zuerst weg, scheinen Halteseile, ein merkwürdiges love-/hateverhältnis zu den Genitalien der Frauen zu haben. Halteseile, die nicht warten können, um ihr dick in eins zu erhalten, sind häufig widerstrebend, ihr Gesicht "unten dort" zu setzen. Für jedes Halteseil, das sagt, liebt er, Pussy zu essen, dort ist ein anderes, wer squeamish ist. Frauen wissen dieses und es beeinflußt ihre Fähigkeit, zurück zu legen und die Erfahrung zu genießen. Es gibt nichts, das zu einer Frau als, zu wissen aufregender ist, daß ihr Partner sie köstlich findet. Seien Sie nicht coy; erklären Sie ihr. Wenn Finger eines Halteseils eine Dame und dann Geruche, leckt, saugt den Saft weg von seinem Finger und Seufzer, als ob im Himmel, sie dieses weiß, ist ihr glücklicher Tag.

Was, wenn Ihre süsse Dame sehr süß riecht nicht oder schmeckt? Leiden Sie nicht. (beschweren Sie sich nicht, auch nicht.), Nehmen Sie eine nette heiße Dusche oder ein Bad zusammen. Seifen Sie herauf beide Ihrer Körper ein und schieben Sie sie zusammen. Er ist wie ein Bumsen des vollständigen Körpers. Seifen Sie herauf ihr vulva ein und zwischen ihren äußeren und inneren Lippen waschen. Verbreiten Sie ihre Lippen auseinander und waschen Sie leicht ihren Clitoris. Hey, stoppen Sie nicht - dieses fühlt groß! Lassen Sie Ihre seifige Hand hinunter den Sprung ihres Esels, laufen und reiben Sie einen Finger ganz um ihr anus. Sie können einen Finger innen haften und herum nach innen zu waschen auch, wenn Sie irgendein anales Spiel vorwegnehmen, und ich schlage vor, daß Sie. Aber setzen Sie nicht jene seifigen Finger herauf ihre Vagina. Stattdessen spülen Sie sie weg wohl aus und haften Sie ein oder zwei Innere und eine kreisförmige Bewegung bilden. Denken Sie an das Waschen des Inneres eines hohen Glases - die gleiche Sache. Jetzt nicht war dieser Spaß? Und jetzt können Sie glauben, daß frei Ihre Zunge wander überall es gefällt... lassen Sie

So jetzt was? Sie haben einen comfy Punkt gefunden, um zu spielen, Sie haben geküßt leidenschaftlich, Ihre Zungen schießend um jeder des anderen Öffnungen wie playful Otter. Sie sind unten umgezogen, um abzunagen ein von ihr Nippel verhärtend und sie beginnt zu ächzen und reibt ihre Pelvis gegen Ihren Magen. ANSCHLAG. Ich weiß, daß er gerades Beginnen war, gut zu erhalten. Aber ächzte sie wirklich und humping Sie, oder war es Ihr eigener Excitement, den Sie ermittelten? Ich ziehe stark es vor aufgeregt zu werden, bevor ein Halteseil anfängt, seine Zunge in meine inneren Aussparungen zu tauchen. Verwenden Sie Ihr Urteil und Kuß, lecken Sie und fondle Ihre Weise unten ihr Magen, herauf ihre Schenkel, bis sie herauf sie zurück versuchend, Sie zu veranlassen, sie zu essen sich wölbt. Selbstverständlich wenn sie wirklich ächzend und reibend war, gehen Sie für ihn..., Ich auch nicht besonders genieße ein endlos abnagendes Halteseil mein innerer Schenkel, während mein clit in der Erwartung bebt.

Wenn die Frau, die Sie mit sind, über Ihr Gehen unten auf sie ein wenig zögernd ist, anlaufen mit ihr zurück liegend auf ihr und möglicherweise Hälfte-sitzt. Legen Sie zwischen ihren Beinen, mit ihren Beinen über Ihren Schultern nieder. Sie kann, am Rand des Betts mit Ihnen zu legen oder zu sitzen genießen kniend. Sie kann Ihr Gesicht auch spreizen, aber wird, sehr naß zu erhalten vorbereitet. Es gibt endlose Vielzahl von Positionen, in denen Sie Ihr nach oben zu ihrem Cunt betätigen können, von dem einiges mich anschlagen, wie acrobatic als erotisch, aber fühlt frei zu experimentieren. Und dann gibt es 69...

69 ist eine meiner Lieblingspositionen. Auf der Plusseite erhalten Sie beide, die Sublimeempfindungen des Erhaltens des Kopfes zu genießen, gleichzeitig. Des Pussy und Ihrer Öffnung einer Frau unten in Position bringen der Oberseite ist ein einfaches passendes und es gibt mehr Raum für Ihre Hände. Auf der negativen Seite ist es eine weniger als ideale Position, damit eine Frau Kopf gibt. Plus, wenn Sie diesen Artikel lesen müssen, können Sie weg vom Konzentrieren Ihrer Energie auf das Gefallen sie, ohne zu viel Ablenkung besser sein. Aber glätten Sie für erfahrenes 69'ers, es ist einfach kurz-ändern Ihren Partner. "es glaubt dem guten soooo, bin ich gerades Gehen, für eine Sekunde zu stoppen und sich zu konzentrieren auf, was Sie... aaaarrrgghhh sind". Erhalten Sie die Abbildung? Irgendein Erscheinen der Werdenenergie ist im Auftrag.

69 können getaner Mann auf die Oberseite, Frau auf die Oberseite sein oder nebeneinander. Die letzten zwei sind einfacher, obwohl sie mit dem Niederlegen beider Partner restful ist. Einige Frauen lieben, auf allen fours geleckt zu werden, also, wenn Frau-auf-Oberseite 69 ihr wildes fährt, nehmen den Tip und finden einige andere Wege, sie in dieser Position zu essen. Ich geschehe, Mann auf die Oberseite zu genießen, aber für viele Frauen ist dieses eine sichere erdrosselnde Position. Wenn möchte eine Fraudose oder, zur tiefen Kehle versuchen Sie, dieses ist DIE Position. Wenn ihr Kopf zurück gestoßen wird, können Sie Ihren Hahn hinunter ihre Kehle wirklich vollständig schieben. Aber vergessen Sie nicht, was Ihnen tun sollen!

Zu so dort staring Sie an es - die geheimnisvolle Bohrung von, woher Sie kamen, und in, welches Sie hoffen mit wieder..., Zuerst eine Anatomielektion...

Bevor ich irgendwie weiter gehe, einige Wörter über den Clitoris, Akzent auf der ersten Silbe. Die meisten von Ihnen kennen sie, aber für die, die nicht, ist es DAS Geschlechtorgan der Frau, Periode. Es kann groß fühlen, vaginally, anal oder anders gebumst zu werden, aber, wenn die Anregung nicht nach rechts dort, auf dem Clitoris ist, ignorieren Sie den Platz, dem bilden wird sie mit, und vermutlich, die ist, warum Sie dieses lesen, recht? Es ist dort am oberen kritischen Augenblick ihrer inneren Lippen, ein kleiner Drehknopf des rosafarbenen Fleisches recht. Dieses ist, wo es an den Jungen ist, und vergißt es nicht. Fast irgendwie, leckend und das Saugen des labia oder des vaginalen Eingangs wird gerades dandy glauben; erinnern Sie einfach, daß dieses angenehmes Necken ist, nicht der Hauptfall daran. Ich kann nicht Ihnen erklären, wieviele Halteseile ihre Zungen herauf meine Vagina denkend gestoßen haben, daß diese im BegriffWAR, mich mit zu bilden. Sie waren falsch. Selbstverständlich mit einer wenig manuellen Anregung.... aber mir erhalten vor mich.

Frauen fühlen anders als über, wieviel direkte Anregung sie auf ihrem Clitoris nehmen können. Einige Frauen verehren ihn, wenn Sie stark auf ihren herausgestellten clits saugen, andere shriek in den Schmerz. Sie können eine Frau antreffen, die vollständig nicht imstande ist, direkte Anregung ihres clit zu nehmen; das Ziel ist noch dasselbe, aber Sie müssen es, wie durchgehendes indirekt anregen ihr labia. WICHTIGE ANMERKUNG: Häufig was unannehmbar zuerst rauh ist, können fein sein, nachdem sie sehr aufgeregt ist. Die Tatsache ist, die meiste Notwendigkeit der Frauen wirklich eine gute Spitze der Anregung vor einem gerichteten Angriff auf ihrem Clitoris, aber, sobald sie dort sind, der ist, wo Sie sich Ihre Aufmerksamkeit widmen möchten.

Der Schlüssel hier ist gehen langsam, stellen Fragen und wenn sie mit ihm wohl fûhlt, verlassen die Lichter an und erforschen wirklich. Körpersprache häufig erklärt, was gut glaubt, aber ich verspreche, sie schätze Ihr attentiveness, wenn Sie völlig bitten. Wenn sie schüchtern scheint, veranlassen Sie sie, Ihre Hände und Öffnung mit ihrer eigenen Hand zu führen, und zahlen Sie Aufmerksamkeit. Wenn sie anfängt, oben gegen Ihre Öffnung sich zu sträuben und keuchend im zackigen wenig Atem, für Sake des Gottes, verwenden Sie nicht diese Gelegenheit, unterschiedliches etwas zu versuchen. Gerader Unterhalt, der genau tut, was Sie tun.

Ich möchte reiterieren, dort bin fast nichts, den, Sie tun können, das nicht terrific glaubt, also sich entspannen! Ich verspreche, können Sie konfus und unsicher sein, aber sie ist im Himmel. Irgendwie, leckend und Saugen des labia, vaginaler Eingang, Clitoris, oder analer Bereich wird gerades großes glauben, und ich würde nicht eher Halteseilen "tue es genau wie dieses" als erklären, würde ich jedes chef erklären, dem gleichen Rezept zu folgen. Aber für die, die zu RTFM gezwungen werden, sind hier einige Techniken, die Sie versuchen mögen konnten:

Versuchen Sie, ihren Pussy vom vaginalen Eingang bis zu ihrem clit einzuhüllen und Ihr Zungenweiche und Kiefer entspannt lassen. Dieses ist eine gute Weise, Ihr Auflecken zu beginnen. Lassen Sie Ihre Zunge zwischen das innere und äußere labia auf einer Seite, beim Halten der zwei zusammen mit Ihren Lippen laufen. Guter Job, tun jetzt die andere Seite. Bumsen Sie ihren Pussy mit Ihrer Zunge - in und aus, herum und herum, usw.. Dieses fühlt nett. Nicht wundervoll oder unglaublich oder Masse-Rütteln; nett. Verbreiten Sie ihre äußeren Lippen mit Ihrer Hand. Dann mit Ihrer gezeigten und steifen Zunge, schlagen Sie leicht hier und dort. Fühlen Sie frei zu ihrem clit zurückzukommen, zu durchstreifen, aber zu halten. Dieses fährt einige wilde Frauen, und andere können nicht es nehmen. Einige können bevorzugen, daß Sie immer Ihre Zunge weich lassen, also, wenn Sie dieses versuchen, Bezahlungsaufmerksamkeit zu, ob jenes Ächzen ecstacy oder Schmerz ist. Die folgenden Techniken sollten nicht eingeführt werden, bis Ihr Partner wirklich heiß ist (d.h. sie ist nicht mehr zusammenhängend). Diese sind sehr intensive Tätigkeiten, die "zu viel" für einige Frauen sein können, selbst wenn, Orgasmus nähernd. Wenn ihr clit noch herausgestellt ist, geben Sie es, das ein schnelles wenig saugen - es in Ihre Öffnung kurz ziehend und es gehen lassend. Dieses ist viel wie ein wenig Kuchengeschlagenen Eierteig von Ihrem pinky weg lecken. Dieses fühlt unglaublich, und ist eine feine Sache zum Tun, wenn Sie wie das Quälen sie fühlen (sehen Sie SIE ALLE ZUSAMMENFÜGEN unten). Nehmen Sie sie herausstellte clit in Ihre Öffnung und leicht (anfangs, sowieso) saugen Sie auf ihr und Ihre Zunge gleichzeitig rüber schlagen und um sie. Dieses kann sehr leicht oder sehr konkurrenzfähig getan werden, und kombiniert worden mit Betasten, produziert normalerweise schnell einen intensiven Orgasmus. Eine andere auserlesene Technik bezieht mit ein, Ihre Zunge in einen Schlauch zu rollen. Wenn Sie nicht dies mit Ihrer Zunge tun können, können Sie nicht sie erlernen - sie ist genetisch. Für die, die können, funktioniert dieses gut eine Position in umgekehrt oder in 69. Rollen Sie Ihre Zunge in einen Schlauch um die Welle ihres Clitoris. Schieben Sie ihn auf und ab; in Wirklichkeit bildet Ihre Zunge einen kleinen Pussy für ihr clit zum Bumsen. Dieses ist auch wahrscheinlich, sie über dem Rand zu holen.

Finger sind ein wertvoller Anhang zum Essen von Pussy. Das Betätigen das meiste Fraumasturbate durch eines Fingers oder der Finger über ihrem clit, vielleicht "durch" die Haut ihrer inneren oder äußeren Lippen und kräftig reiben in ein Rundschreiben oder zurück-und-weiter Richtung. Sie können dies auch tun, und zu bitten ist am nützlichsten, oder besser schon, haben Sie ihr Erscheinen Sie, wie sie es erfolgt mag. Sie sind nie ein guter Geliebter, bis Sie Ihre Frau holen können, sich mit Ihren Händen zu steigern. Wenn Sie sie von hinten bumsen oder ihren Esel oder wirklich in jeder möglicher Position up, die ihr nicht erlaubt, ihr vulva gegen Ihren Körper gleichzeitig zu reiben, erreichen Sie hinunter oder herum und reiben Sie ihr clit. Ich weiß, daß sie ablenkt, aber sie gerade irgendwie tut. Ein wichtiger zu merkender Punkt: überprüfen Sie, ob Ihre Finger gut geschmiert werden. Es gibt unbequemeres (und manchmal absoluteres nichts schmerzliches) als ein trockener Finger, der ungefähr über irgendjemandes Clitoris gerieben wird.

Selbstverständlich ist das nicht alles, das Sie mit Ihren Fingern tun können. Eine Technik, die sehr aufregend ist, soll ihre Lippen auseinander mit einer Hand und mit Ihrem Indexfinger gerade wie einem Bleistift weit verbreiten, schlagen die Seite von ihr schnell über ihrem clit. Diese Bewegung alleine holt häufig eine Frau zum Orgasmus. Dieses mit der Hinzufügung etwas Zungentätigkeit anderwohin zu kombinieren ist nichts kurz von Bliss.

Ist ein oder mehr Finger innerhalb ihrer Vagina haftend, auch wundervoll. Sie können es in einfach verschieben und heraus (dieses glaubt gut mit mindestens zwei oder drei Fingern, eingedrückt stark), oder herum wriggling sie. Eine besonders intensive Bewegung soll Ihre Hand gegenüberstellen, damit Sie zwei Finger innerhalb sie mit Ihrer Palme haben, welche die Frontseite ihres Körpers gegenüberstellt. Verschieben Sie jetzt Ihre Finger schnell, als ob, hallo wellenartig bewegend. Sie zielen darauf ab, ein bestimmtes Teil der Vagina der Frau anzuregen - nämlich das unterere vorhergehende (vordere) Teil. Wenn es mit dem Saugen ihres clit kombiniert wird, ist dieses fast sicher, sie zu einem schnellen und intensiven Höhepunkt zu holen.

Eine ausgezeichnete Weise, manuelle Anregung anzufangen soll Finger zwei innerhalb sie, mit Ihrer Palme haften einer (und später), die über dem Monsbereich schalenförmig ist. Ich spreche daß fleischiger "Damm" über ihrem pubic Knochen. Ihr Finger geht innen und heraus und die Kugel Ihrer Hand wird stark gegen ihr vulva betätigt. Sie können den gesamten Bereich mit Ihrer Palme reiben oder sogar rütteln wünschen.

Finger tun auch nette Sachen zu fest wenigen Kolbenbohrungen, aber das ist ein Ganzes andere Geschichte...

Dieses Material ist lediglich wahlweise freigestellt. Wenn anales Spiel Sie nicht anmacht, tun Sie es nicht. Wenn Sie unbequem sind, hebt sie auf Ihren Gefühlen auf und fängt an, sich zu wundern, wenn es ihr Pussy ist, der Sie weg dreht. Glauben Sie nicht, daß Sie nicht ein guter Geliebter ohne anales Spiel sein können; Sie können.

Sauberkeit ist vom Wesentlichen (erinnern Sie daran, daß nette seifige Dusche?) Schaufeln Sie aus etwas luscious Säften (von einem sehr nassen Pussy) mit Ihrem Finger und reiben Sie ihn um ihr anus. (wenn sie nicht wohles geschmiert ist, arbeitet Speichel auch.), Wenn alles das Sie ist, oder sie mit bequem fühlt, fein - es fühlt noch groß. Aber ich denke, daß die meisten Frauen fühlen eines Fingers hochdrückten ihren Esel genießen, während sie gebumst oder gegessen werden. Sie müssen leicht sein, glätten vielleicht Ihren Finger noch lassen. Versuchen Sie, ihn in und aus wenig oder herum in einem Kreis zu verschieben. Wenn sie anfängt zu ächzen, wissen Sie, daß Sie etwas nach rechts tun.

Es ist wirklich der Spaß zum Glauben des anus einer Frau, Ihren Finger als sie rhythmisch zusammenzudrücken cums. (und es ist für sie, auch groß), denken Sie vermutlich an, was das wie um Ihr dick glauben würde, und es ist etwas, das Sie zweifellos erforschen sollten. Esel-ass-fucking ein wenig aus dem Bereich dieses Artikels heraus, aber genügt zu sagen, wenn sie nicht einen Finger herauf ihren Kolben mag, ist sie sicher, da Hölle nicht Ihr grosses dick oben dort wünscht. Selbst wenn sie diese Art des Spiels genießt, kann sie über etwas dort setzen ein wenig scharfsinnig noch sein so großes hohes. Die Schlüssel zum Erfolg sind genügende (d.h. reichliche Mengen von) Schmierung (eine wasserlösliche Art wie K-y, das für condoms sicher ist), Entspannung auf ihrem Teil und ein langsames, leicht, Annäherung. Sie erklärt Ihnen, wenn zweifellos sie Sie härteres oder tieferes stoßen wünscht. Und erinnern Sie sich, wenn Sie daß köstliches um Ihren Hahn glauben möchten, Reichweite herum zusammendrücken und dieses clit diddle!

Was anallingus anbetrifft - warum nicht? Glauben Sie nicht, wie Sie es tun MÜSSEN, um Ihre Frau zu erfüllen. Aber, wenn die Idee Sie anmacht, groß. Lassen Sie Ihre Zunge vorspinnen, wie sie gefällt. Es ist nicht notwendig, Ihre Zunge innerhalb ihres Kolbens wirklich zu setzen, um den Bereich anzuregen. Hin und her herum und herum, erhalten Sie die Abbildung.

Eine Hygieneanmerkung: sobald dieser Finger (oder Ihr Penis) innerhalb ihres Esels gewesen ist, nicht sogar denken Sie an ihn irgendwoanders setzen. Nachlässigkeit in dieser Hinsicht kann eine horrendous Infektion verursachen.

Ich denke, daß Vielzahl entscheidend ist. Irgendein Halteseil gab einen Artikel bekannt, der genau schildert eine Straßenkarte des Küssens und des Leckens (zuerst hier, dann hier, usw..) Viel besser, das unerwartete zu tun; manchmal setzt eine hungrige, konkurrenzfähige Annäherung, andere Zeit gelegt-zurück, leisurely eins fest. Sie können sogar glätten mit.einschließen Ihre Nase oder Ihr Kinn in die Tat. Beginnen Sie langsames, ist der der Schlüssel und ließ Ihren Geliebten die Geschwindigkeit des crescendo führen. In allen Fällen beginnen Sie leicht. Rauheit und Ungeschicktheit sind grosse Ausschaltungen. Wie sie mehr und aufgeregt erhält, lenken Sie mehr Aufmerksamkeit auf ihren Clitoris. Wenn sie drei ist, atmet weg vom Cumming und nimmt Ihre Öffnung weg, oder weg von ihrem clit ist Qual. Das ist fein, wenn Sie sie absichtlich quälen, verstehen gerade, daß dieses ist, was Sie tun. Das einzige Verbot soll mit ihrem clit recht leicht sein. Nagt ab oder beißt fein anderwohin, aber wir sprechen über einen empfindlichen Punkt.

Sprechen des Ausdehnens der Qual..., Ich denke, daß dieses großer Spaß ist. Holen Sie Ihren Partner gerade zum Rand des Orgasmus, und stoppen Sie. Dieses ist nicht einfach, es sei denn Sie wirklich Ihren Geliebten gut kennen. Stattdessen haben Sie einfach ihre Hilfe Sie. Sagen Sie, "ergreifen meinen Kopf und stoppen mich, kurz bevor Sie denken, daß Sie gehen zu mit.", Dauern Sie dann Ihre süsse Zeit. Brennen Sie auf ihrem clit durch, nehmen Sie es in Ihre Öffnung, die kurz gerade ist, schlagen Sie es gerade die sehr geringfügigste Spitze. Sie haben diese Frau squirming und zu ächzen, wie sie stirbt. Finger sie tief, genießen das ecstasy Sie zuteilen, und schließlich, haben Sie Pity. Lassen Sie die arme Frau mit.

O.K., suffocating sie Sie praktisch, sie wird betätigt so stark gegen Ihr Gesicht; sie ist screaming und oben in der Luft Kompensations; Sie ihrem Pussy wild, Vertrag abzuschließen - sollten glauben Sie es oben halten wie lang?? Die einfache Antwort ist, bis sie Sie Anschlag bildet. Einige Frauen können Sie nach fünf Sekunden von Anfang an ihres Höhepunkts stoppen, andere können in der LageSEIN, nach rechts in einen anderen Orgasmus zu rollen, wenn Sie halten zu gehen. Kommen Sie oben für Luft, aber sich zu erinnern, fällt ihr Excitement nicht weg so scharf, wie Ihr. Spielen Sie ihn sicher, indem Sie die Anregung fortsetzen.

Mit wievielen Malen benötigt sie? Einige Frauen sind sehr zufrieden, einen Orgasmus zu haben. Ein vollständiges Los Frauen möchte wirklich zu mit wieder, aber benötigt ungefähr fünf Minuten wieder einzubringen. Viele Frauen sind so empfindliches Recht, nachdem sie mit der sie Ihren Kopf heftig drücken können weg. Dieses nicht notwendigerweise bedeutet, daß sie genug gehabt haben, nur die Sie für einige Minuten stoppen muß. Tatsächlich sind die meisten Frauen, einen kurzen Rest zwischen gegeben, zu immer wieder cumming fähig. Ein kleinerer Prozentsatz der FrauenSIND zu mit wiederholt mit anhaltender Anregung in der Lage. Dieses ist der viel-much-touted Mehrfachorgasmus, der von einer Minorität Frauen erfahren wird. Ich weiß, daß dieses es schwierig, zu wissen bildet, wann genug genug ist, aber es gibt eine einfache Antwort: fragen Sie sie.

Es geschieht allen uns manchmal - Ablenkung, Verlegenheit, Angst oder gerade eine Unfähigkeit "läßt geht". Was tun Sie über es? Die erste Frage ist, kann sie zu einem Höhepunkt im Privatleben ihres eigenen Hauses leicht sich holen. Wenn die Antwort no - dann ist, muß sie etwas Heimarbeit tun. Es gibt zwei Bücher auf dem Thema, dem ich von weiß: Für Selbst: Die Erfüllung von weiblichem Sexuality durch Lonnie Barbach und Geschlecht für eins: Die Freude an Selfloving durch Betty Dodson; heben Sie ein auf. Dann erklären Sie ihr, daß um es zu lesen, es und Praxis, Praxis, Praxis studieren Sie!

Jetzt, wenn Ihr Partner orgasmic ist, nur wenn alleine - sie um Punktfreien Raum bitten Sie: "gibt es unterschiedliches etwas ich kann tun?", Viele Frauen sind über das Kritisieren ihrer Geliebten, aber wenn gebetene völlige Willensüberraschung Sie mit einer sehr spezifischen Antwort schüchtern. Sie kann eine einfache Sache der Mechaniker, wie wenig zum Recht bitte, oder nicht so rauh sein oder zu mehr Druck und schneller. Amperestunde... vervollkommnen.

Aber nehmen Sie an, daß alles wundervoll ist. Sie sagt, daß Sie rechtes alles tun, aber sie gerade nicht mit kann. Es gibt zwei wahrscheinliche Ursachen: selfconsciousness und/oder Selbst-self-loathing. Für Frauen, die nicht sich aufzupassen, helfen können, soll die beste Annäherung alles beseitigen, das ihre Aufmerksamkeit richtet auf, was die zwei von Ihnen tun. Dieses ist "ist hier jetzt" Art der Sache - definitiv nicht eine introspective Tätigkeit. Erhalten Sie diesen Spiegel weg von der Decke. Verdunkeln Sie die Lichter oder drehen Sie sie weg vollständig. Setzen Sie an etwas weiche Musik. Teilen Sie ein Glas Tor. (I sagte a-Glas - das Erhalten getrunken wird definitiv nicht Hilfe). Haben Sie ihre Lage auf ihr zurück, oder propped herauf bequem mit einigen Kissen. Dieses ist nicht die Zeit für sie, auf Ihrem Gesicht oder der Rand des Betts oder des Stehens oben gegen eine Wand zu sitzen. Ordnen Sie eine Zeit, wenn Sie eine lange Periode dem Essen ihres Pussy sich widmen können, und dann geraden Unterhalt es oben. Vergessen Sie alles I, das über das Stellen ihr von Fragen gesagt wird - einfach schließen Sie Ihre Augen und erhalten Sie in es. Ich weiß, daß diese eine schwierige und erschöpfende Übung sein kann, aber sie für Ihre Bemühungen extravagantly dankbar ist. Es erhält jede Zeit einfacher. Wenn ganz sonst ausfällt, gewöhnen Sie an zusammen masturbating. Fangen Sie stufenweise an, Ihre Anregung ihren Selbst hinzuzufügen, recht, bevor sie ungefähr zu mit irgendwie ist. Über Zeit können Sie vollständig übernehmen.

Für Frauen, die selbst glauben Sie, daß ihre Cunts schmutzig oder distasteful sind, können alle oben genannten Methoden nützlich sein, aber der zugrundeliegende Punkt muß auch angesprochen werden. Ich werde überrascht an, wievielen Frauen über ihre eigenen Genitals ambivalent sind. Sie lieben nicht "dieses Teil" ihres Körpers, und sie können nicht glauben, daß Sie auch nicht wurden. Ja ist es wichtig, sauber zu sein. Aber saubere Mittel eine tägliche Dusche, die das Waschen des vulva umfaßt. Sie bedeutet nicht vainly versuchen, jede Spur des Geruchs oder des Geschmacks zu entfernen. Der natürliche Duft und die Absonderungen einer gesunden Frau sind schön und erotisch. Hoffnungsvoll stimmen Sie zu (und wenn nicht, versuchen Sie stark, diese Haltung zu kultivieren). Wenn sie erlernt, ihren Pussy zu lieben, fûhlt sie mit Ihrem dem Lieben es auch unendlich wohler.

one possible solution (2)

ruud (7631) | about 12 years ago | (#3213654)

find a friend who has a colocated server or dsl connection.

then use that machine as a web proxy, or set up an ipsec tunnel to that machine and route your port 80 traffic through that tunnel.

Use a different port, add use webhop.org (0)

Anonymous Coward | about 12 years ago | (#3213666)

many ISPs do this, just use a different port. I use
port 8001

Wasn't port 80 supposed to be HTTP? (1)

Brecker (66870) | about 12 years ago | (#3213668)

The real problem is that you're probably using port 80 for something other than what it's explicit purpose. Port 80 is the domain of HTTP, which has its own set of rules.

As long as you're using HTTP, the "payload" is all that matters! A proxy is certainly not required to route anything anywhere! It's your fault--not your ISP's--that you choose to disregard the other relevant standards. If you would embrace the DNS standard, HTTP standard and the routing standard, you'd have no troubles.

OpenNIC (3, Informative)

glasn0st (564873) | about 12 years ago | (#3213734)

The poster mentioned that he used OpenNIC which is an alternative DNS root. It is proper HTTP, but a transparent proxy that does not "see" domains in this namespace effectively block you from viewing webpages under this domain.

His own box is properly configured to do OpenNIC lookups, but the HTTP request to the (proper) webserver gets intercepted. Now the proxy has to do the real HTTP request, but the proxy does not know about the alternative domains and probably returns a "Host not found" error.

I haven't heard of free proxy servers supporting one of the alternative NICs and I doubt the ISP will be interesting in subscribing to such a service. I guess the only solution will be to convince a friend to set up a proxy on a box someplace else.

Some alternative roots have their own "real" Internet domain which acts as a gateway domain, for instance name.space has http://name.space.xs2.net/ (regular hostname) which enables non-subscribers to view http://name.space/ (namespace only), making the domains available globally. If OpenNIC provides such a service, an alternative solution could be to run some proxy at home and let it rewrite OpenNIC urls into "regular" URLs.

Re:Wasn't port 80 supposed to be HTTP? (2)

Dr. Zowie (109983) | about 12 years ago | (#3213736)

Actually, that's not true. Often you want to send an arbitrary HTTP request to an arbitrary host. See my example in the article.

Cheers,
Craig

Re:Wasn't port 80 supposed to be HTTP? (0)

Anonymous Coward | about 12 years ago | (#3213739)

Could you please read the question before posting a reply?

Thanks.

Re:Wasn't port 80 supposed to be HTTP? (5, Insightful)

Jerf (17166) | about 12 years ago | (#3213741)

I reply to this because I bet a lot of people are going to think this.

The real problem is that you're probably using port 80 for something other than what it's explicit purpose.

No, that's not it at all. Follow the openNIC [unrated.net] link.

What he's trying to do is resolve an address, via the perfectly standard and normal DNS protocol, with an alternative root server. This is also perfectly standard and normal. This is not a violation of DNS, nor any other protocol, nor is it a particularly wierd thing to want to do. (Unusual, but perfectly normal.)

The problem is that his ISP is catching all traffic to port 80, and redirecting it to their proxy. Thus, when he asks for "http://www.something.nonstandardroot", the web proxy is interfering with the request (presumably after his home computer correctly resolved the DNS address of www.something.nonstandardroot), catching the GET part of the HTTP request, extracting the server name, and attempting on it's own to resolve the name.

(Note this is a complete waste: The home computer has probably already resolved the address, now the proxy will resolve it again.)

Unfortunately, the proxy is too ignorant to know how to resolve the alternate DNS address. It's not incapable in the technical sense, it just doesn't understand root servers it's not configured for. The problem is that this means that the perfectly normal and acceptable HTTP request, for an HTML document, on an IP address the client computer has already perfectly normally resolved, gets lost, because the proxy doesn't know how to resolve the address. Bad proxy!

A workaround, albiet a sucky one, is to resolve the address on one's home computer, then go to that IP address manually. This still causes problems on subdomain-aware webservers, where several domains or subdomains may all come from the same IP address, and the server wants to use the host part of the HTTP GET request to differentiate what to serve. (You could code up a quick Python/TK script to do this, but it'll still suck.)

So, when you say a proxy is not required to route anything anywhere, you've accidentally hit on the exact problem: a proxy shouldn't be routing, because it may not know how. This proxy tries to. That's why it sucks.

And to cover the last part of your post, there's absolutely nothing non-standard about any of this, except the behavior of the proxy, which is the only thing in this whole mess that hasn't "embrace[d] the DNS standard, HTTP standard and the routing standard". ICANN's root servers are not written into RFC's. They are merely common practice, one that many people, probably correctly, believe is an increasingly dangerous common practice [kuro5hin.org]. (You may not completely agree, but the opinions deserve consideration.)

Re:Wasn't port 80 supposed to be HTTP? (0)

Anonymous Coward | about 12 years ago | (#3213771)

That's not the problem. Internet protocol dictates that if a request is made to transmit/receive an IP datagram between host A and host B, it gets there.


There is nothing in any RFC that states, 'An attempt to open a port on a specific host may also open a port on some other host inbetween, which may or may not forward the request'.


This is analogous to the U.S. Post Office opening your mail destined for John Doe, Anytown and inspecting the contents. If there is nothing inside the envelope, they'll just trash it.



So as far as your understanding of DNS/HTTP standards go, keep trying.

Re:Wasn't port 80 supposed to be HTTP? (0)

Anonymous Coward | about 12 years ago | (#3213775)

You can use port 80 for anything you please.
It doesn't have to be HTTP.

You can also run HTTP on any port that suits your fancy.

Re:Wasn't port 80 supposed to be HTTP? (1)

chriton (29476) | about 12 years ago | (#3213793)

I'm probably an id10t for even taking the time to reply to this sad post, but...

HTTP is an application layer protocol. What the ISP is doing to try and make their proxy "transparant" is changing the way the internet layer is working.

The ISP should be determining if you are making a true HTTP request at their gateway router(s) and rerouting from there if appropriate. If you aren't making an HTTP request, the proxy should stop interferring with your request and let it pass normally.

I would have to say that clue-free poster to whom I am idiotically reponding is the one who isn't "embracing the DNS standard, HTTP standard and the routing standard". Probably because (s)he doesn't know what they are.

I a little port 80 knowledge is a dangerous thing.

Re:Wasn't port 80 supposed to be HTTP? (2, Insightful)

foofboy (7823) | about 12 years ago | (#3213838)

I don't see a problem with what he's trying to do.

The problem he's having is that he's asking for an OpenNIC web site, and not receiving the page. The problem is as follows:

The "address" of the site he's looking for is present in two separate places in the request he's making. The IP Header includes the IP address of the site, and the HTTP header includes the URL, which includes the server name.

When he requests a webpage from an OpenNIC TLD, his machine correctly resolves the hostname, and constructs an request, which is sent through his ISP. The web proxy intercepts the request, and tries to proxy his request, so that it can be cached for later lookups.

Apparently, the Web cache is not configured to lookup machines under OpenNIC TLDs. That's reasonable, but that shouldn't stop a web browser from being able to see the web page.

If the web proxy can't identify the hostname present in the URL, it should simply pass it through, allowing the client (who already knows the IP), and the Web Server (who also, clearly, already knows it's own IP) to communicate. This would prevent the client from gaining the benefit of the cache, but would allow the client and server to communicate.

By accusing the poster of "[choosing] to disregard the other relevant standards," I can only assume your talking about his testing the web requests through a telnet client. I think that was an excellent troubleshooting procedure. It clearly identified the source of the problem.

HTTP does have it's own rules, but none of those rules should override TCP/IP. If this user makes a request to a web server (he's obviously already identified the IP address of the server, or he wouldn't be attempting an HTTP request). The caching proxy shouldn't be hijacking his request for any reason. It may be misconfiguration, or it may be broken proxy software, but it certainly isn't the user's fault.

Re:Wasn't port 80 supposed to be HTTP? (3, Insightful)

Skapare (16644) | about 12 years ago | (#3213929)

If you connect to a specific IP address, a transparent proxy should connect to that very same IP address. If it connects to any other for any reason, it is apply a sort of "routing" logic. Apparently what happens is because the client includes an HTTP version 1.1 "Host" header, the proxy prefers to do a DNS lookup on the hostname given, and (if it finds it) connect there instead of the client's original destination IP address.

This is broken. If the proxy has a different idea of what domain names mean, it gets the wrong web site, or perhaps fails to get one at all. A correct transparent proxy implementation should always connect to the very same IP address the client tried to connect to without regard to the "Host" header (which must also be passed along). A DNS lookup can still be done to optimize the cache. If the destination IP address is in the list of A records from the DNS query, then it can simply be matched to the cache by name alone. However, if the IP address does not match any that DNS gets, then those pages can still be cached, but they must be cached under the tuple of both the destination IP address and the "Host" header name together (as this content can be different than any other for the same host name or the same IP address).

Maybe someone can provide a list of which transparent proxy cache programs do it wrong, and which do it right (as I have not examined these programs). I don't know if peakpeak.com will change out the software once they find something that does it right (or even make a configuration change if it turns out that's all that is needed). Ironically, if you find an outside proxy server which can do it right for you, you could connect directly to that service via a different TCP port and end up defeating the efforts of your ISP to save upstream bandwidth by caching.

Depends (0)

Anonymous Coward | about 12 years ago | (#3213671)

Without some "outside" help, there isn't much you can do. In the long run however, it would help if everyone tried to use protocols which are opaque to the transport: SSL, IPSec, etc.

Sounds like what my college does (3, Informative)

AntiNorm (155641) | about 12 years ago | (#3213678)

Onenet [onenet.net] is the internet "service" provider to most state agencies within Oklahoma, including Oklahoma State University, where I am currently working on a BSEE. Neglecting Onenet's other issues (AOL's netadmins could do a better job than Onenet's), they have a "transparent" web cache proxy. More often than not, errors fetching a web page come not from the browser or the site itself as they should, but from the proxy. DNS errors from the proxy are not uncommon. As for switching ISPs, I can't, which really sucks. But for what I can reach on the net, I'm still getting ultra-cheap broadband :P.

Re:Sounds like what my college does (1)

cscx (541332) | about 12 years ago | (#3213839)

Heh, happens at my university too. They are using Cisco (I think) web proxy caching servers to help "alleviate" the bandwidth on our Resnet connections. However, I often get 0-byte and truncated files returned to me through HTTP. Thanks, proxy.

same problem (3, Interesting)

babycakes (564259) | about 12 years ago | (#3213684)

We had pretty much the exact same problem with our ISP, in that if we sent HTTP requests out without any proxy configuration, they would often take a couple of times to get through, since our ISP's transparent proxying didn't work. However, on setting the browser's proxy settings to the proxy itself, this seemed to solve the problem since it would ask the proxy directly.

Don't ask me why :)

Who is Xenu? (-1, Offtopic)

Anonymous Coward | about 12 years ago | (#3213685)

I'm going to tell you a story. Are you sitting comfortably? Right, then I'll begin.
Once upon a time (75 million years ago to be more precise) there was an alien galactic ruler named Xenu. Xenu was in charge of all the planets in this part of the galaxy including our own planet Earth, except in those days it was called Teegeeack.

Now Xenu had a problem. All of the 76 planets he controlled were overpopulated. Each planet had on average 178 billion people. He wanted to get rid of all the overpopulation so he had a plan.

Xenu took over complete control with the help of renegades to defeat the good people and the Loyal Officers. Then with the help of psychiatrists he called in billions of people for income tax inspections where they were instead given injections of alcohol and glycol mixed to paralyse them. Then they were put into space planes that looked exactly like DC8s (except they had rocket motors instead of propellers).

These DC8 space planes then flew to planet Earth where the paralysed people were stacked around the bases of volcanoes in their hundreds of billions. When they had finished stacking them around then H-bombs were lowered into the volcanoes. Xenu then detonated all the H-bombs at the same time and everyone was killed.

The story doesn't end there though. Since everyone has a soul (called a "thetan" in this story) then you have to trick souls into not coming back again. So while the hundreds of billions of souls were being blown around by the nuclear winds he had special electronic traps that caught all the souls in electronic beams (the electronic beams were sticky like fly-paper).

After he had captured all these souls he had them packed into boxes and taken to a few huge cinemas. There all the souls had to spend days watching special 3D motion pictures that told them what life should be like and many confusing things. In this film they were shown false pictures and told they were God, The Devil and Christ. In the story this process is called "implanting".

When the films ended and the souls left the cinema these souls started to stick together because since they had all seen the same film they thought they were the same people. They clustered in groups of a few thousand. Now because there were only a few living bodies left they stayed as clusters and inhabited these bodies.

As for Xenu, the Loyal Officers finally overthrew him and they locked him away in a mountain on one of the planets. He is kept in by a force-field powered by an eternal battery and Xenu is still alive today.

That is the end of the story. And so today everyone is full of these clusters of souls called "body thetans". And if we are to be a free soul then we have to remove all these "body thetans" and pay lots of money to do so. And the only reason people believe in God and Christ was because it was in the film their body thetans saw 75 million years ago.

Well what did you think of that story?

What? You thought it was a stupid story?

Well so do we. However, this story is the core belief in the religion known as Scientology.* If people knew about this story then most people would never get involved in it. This story is told to you when you reach one of their secret levels called OT III. After that you are supposed to telepathically communicate with these body thetans to make them go away. You have to pay a lot of money to get to this level and do this (or you have to work very hard for the organisation on extremely low pay for many years).

We are telling you this story as a warning. If you become involved with Scientology then we would like you to do so with your eyes open and fully aware of the sort of material it contains.

Most of the Scientologists who work in their Dianetics* centres and so called "Churches" of Scientology do not know this story since they are not allowed to hear it until they reach the secret "upper" levels of Scientology. It may take them many years before they reach this level if they ever do. The ones who do know it are forced to keep it a secret and not tell it to those people who are joining Scientology.

Now you have read this you know their big secret. Don't let us put you off joining though.

* Dianetics and Scientology are trademarks of the Religious Technology Centre. This document is not connected with that organisation in any way.

I'd have a little sitdown with the ISP (-1, Troll)

Profane Motherfucker (564659) | about 12 years ago | (#3213686)

Before you get all fucking wound up in this bitch, why not just have a little sitdown with the bitchass bastards at the ISP? Maybe they can work out this assrape affair.

Tell these fucks, in no uncertian terms, how much their bush league bullshit is ruining your ability to do even the most mundane fucking thing and that you might take your business to someone who isn't quite so fucking inept at even the most basic routing tasks. If they're not a bunch of ass pumping whores, they might be willing to work with you.

Education (3, Interesting)

radoni (267396) | about 12 years ago | (#3213688)

At my highschool, the current system for blocking webpages was introduced as a means to cache commonly used pages and make the District 225 intranet faster. The superintendent and members of the district board know very little about computers, so naturally it is approved. After the Columbine incident, a new feature was tacked on that blocked certain objectionable web sites. The recent WTC attack caused even more areas of the net to be restricted. Today, when i want to search "terrorism" for a paper on the war afghanistan, my results are blocked. Teachers have informed us that we must use the one non-blocked computer in the tech room, or do research at home.

my friend set up an anonymous web surfing proxy at his home computer, and using this i can get whatever i want.

there are publically available anonymous port-80 proxies still around.

Re:Education (2, Insightful)

MrHat (102062) | about 12 years ago | (#3213751)

I'll tell you what I'd do.

1. Refuse to use the machines at school for any internet access. Period.

2. Let the board and the teachers know why. Tell them they've taken a good thing and turned it into a complete waste of tax money by senselessly restricting.

3. Ask the board why they think their current system is capable of making better judgements than their salaried teachers.

This is probably why I really didn't get along with anyone in high school. But this stuff really ticks me off - usually some overzealous admin taking the liberty of forcing his/her idea of "good" on to everyone.

could this be more of an anti-server thing instead (0, Offtopic)

NotAnotherReboot (262125) | about 12 years ago | (#3213689)

I know my ISP's AUP doesn't allow ANY servers of ANY type (which is rediculous, but I know for a fact that whining will get me nowhere with them). One of the ways they do this is to actually block anything coming in on port 80 to block an http server. Of course, I just change the port, but it could very well be that your isp just doesn't want you running a server and is trying to find an automated solution to stop most people.

Re:could this be more of an anti-server thing inst (1)

beebware (149208) | about 12 years ago | (#3213709)

The question is about blocking port 80 outbound not port 80 inbound.

Re:could this be more of an anti-server thing inst (0)

Anonymous Coward | about 12 years ago | (#3213782)

doesn't allow ANY servers of ANY type
You'd better make sure that you always use PASV mode FTP then or you'd be breaking the rules!

My Experience on ISP with faulty service (5, Interesting)

Jucius Maximus (229128) | about 12 years ago | (#3213700)

I used to have an ISP that, although they allowed you to have your own site (on their webspace,) loading the site was just damn SLOW for anyone who tried. It was much faster if the pages were hosted somewhere on another continent compared to an ISP with a server in the same city.

The thing is, they probably won't listen to problems like this, or your proxy issue in most cases. But I found a way to make them listen to you:

Phone them up saying that you want to cancel the service. Mention something about their web hosting being broken. They will probably say that they will have a management person phone you back to confirm the process.

When they do phone back, for me, the call was like "Hello, there was a call eariler about a slow connection?" And at this point you have someone on the line who is interested in helping you, has power in the organisation to really fix things (because they're management or a senior tech) and they want to get your issue fixed to they don't lose your business. And THIS is when you really try to explain what's going on.

This was my experience. Perhaps it will work for you.

Lots of ways to work around your ISPs. (5, Informative)

BrookHarty (9119) | about 12 years ago | (#3213711)

Proxy servers, They might not be cacheing 8080 or other Proxy ports. Check http://tools.rosinstrument.com/proxy/ [rosinstrument.com]

Bouncers - You set this program on an external server on a port thats not filtered. You just point your browser at this IP/port and your outside your filtered isp. Check www.freshmeat.net [freshmeat.net]

SSH, tunnel or route from an external box.

Really, If you cant go through it, go around it, either with software or networking.
-
Well, if crime fighters fight crime and fire fighters fight fire, what do freedom fighters fight? They never mention that part to us, do they? - George Carlin

Hold on here! (1, Informative)

Anonymous Coward | about 12 years ago | (#3213717)

The submitter seems a little confused about how http proxies are required to work. The ISP's proxy seems to be working exactly according to the standard. Taking an http with an absolute uri and redirecting it to the server specified by the uri is a MUST according to RFC 2068 (the HTTP/1.1 standard). Moreover, using a different name resolution system then the server for your client and expecting it to work is a MUST NOT as it can lead to proxy looping.

Re:Hold on here! (0)

Anonymous Coward | about 12 years ago | (#3213768)

You're right: If there is a transparent proxy, that is how it's supposed to work. But this leaves the question if it's ok for an ISP to deny you a direct connection to port 80 on any system. This could be interpreted as "broken routing". If you send a SYN-packet to www.google.com:80 there's nothing in any protocol involved which would suggest that this packet will be intercepted by an intermediate system and handled differently from, say, a similar packet to port 22. Unless the ISP clearly stated that the use of their proxy is compulsory, they probably have to offer a way to turn it off.

Re:Hold on here! (0)

Anonymous Coward | about 12 years ago | (#3213797)

That's a trickier question but it's probably not unreasonable to specially handle IP traffic on one of the well-known ports. It's not desireable and they should notify you that it's happening, but not unreasonable to do so.

Re:Hold on here! (0)

Anonymous Coward | about 12 years ago | (#3213791)

What if you don't want to use port 80 for HTTP traffic though? This is where the problem is...

Re:Hold on here! (0)

Anonymous Coward | about 12 years ago | (#3213810)

That could create some problems (iow: it wouldn't work), but that is not what the original question is about. He's using port 80 for http, but with a different set of root nameservers. This breaks transparent proxying. ("How" is explained really well in some other comments.)

Re:Hold on here! (1)

DotComVictim (454236) | about 12 years ago | (#3213866)

Actually, no. You have specified exactly how manual http proxies are supposed to work. What is broken in the practice of doing this transparently. The ISP is clearly doing this because they can't afford a better uplink and think customers are too dumb to enter proxy settings. Time to switch ISP.

You could request http://ipaddress, but that breaks multihosted web sites that switch on the request URL.

long-term solution (1)

vsavkin (136167) | about 12 years ago | (#3213723)

Support wide use of IPSEC.
Encrypted payload will prevent broken routers from looking into it.

Re:long-term solution (0)

Anonymous Coward | about 12 years ago | (#3213816)

Another dumb solution to a non-problem.

Re:long-term solution (2)

Junta (36770) | about 12 years ago | (#3213886)

Have you ever configured IPSEC connections, particularly accross platforms? The most cross platform methods are x509 certificates and preshared keys. Neither method is viable to distribute among everyone. Sure, with x509, you can in theory have common CAs sign your keys and use that with x509, but that costs money. You could preshareyour own CA certificate and sign it yourself, but then you need the same amount of connection set up for every site you connect to you had before.

More likely solutio is to configure your own proxy beyond the ISPs contorl. Also not easy, since most people don't have machines in that position, but your suggestion is strange enough by itself.

IPSEC wasn't ever meant to be used for oppurtunistic encryption applications (like https, ssh, etc), but to establish connections on a more long term basis that would be used for arbitrary protocols, not such common ones.

Administrative competence / certifications (0, Offtopic)

cravey (414235) | about 12 years ago | (#3213735)

Once again, we're shown what happens when someone who doesn't know what they're doing gets into the pilots seat. In the past, I've seen the situation complicated by management demanding that something be implemented NOW. This leads to a new technology being put in place as an improperly implemented solution. In the end, when you consider the amount ot support work required for it, it end up being cheaper to do it right, but more slowly. For some reason too few people realize this.

Certifications would certainly seem to alleviate the frequency of many of these occurances, but in practice, I have seen too many certified employees who really don't understand the basic ideas of what they're trying to do. Sure they have a piece of paper stating that they passed the test, and may have paid $20k for a 1 month course in their given certification, but without real experience with the technology, it's all worthless. Combine this with management that believes that technical staff is merely there for implementation and not design or recommendation and you have a cycle where poor decisions are implemented 'just to get by' and are depended upon from that time on because noone who knows what they're doing has the authority to veto stupid decisions.

What we really need are more certifications that concentrate on ability and broad based knowledge than a specific way of doing things for not only admins, but also the managers of those admins. An incompetent manager has no business having the authority to tell a network admin to implement a new technology on a specific schedule. I fear that competent admins will soon become only slightly more respected than the guy who unclogs the toilet.

Re:Administrative competence / certifications (0)

Anonymous Coward | about 12 years ago | (#3213893)

Money is a very important factor. The market is so bad that company I work for is hiring non-skilled people for tech support and application admins. The reason? Its easier to hire someone at 30K then 65K and save money. We have multiple levels, Level 2s and 3s are your basic skilled admin. Level 4's are your main experienced guru, and team lead. Level 1's are non-skilled, normally people fresh out of school.

They hired a dozen level 1's and expect the level 3's to teach them how to use unix/etc/scripts. Its a fucking joke. You wonder why it takes forever to get tech support to fix something! The top tier of people staffed are mostly UNSKILLED...

..competent admins will soon become only slightly more respected than the guy who unclogs the toilet.

Too late, they dont care anymore. "A Monkey can do your job" seems to be the general thought..

Their way or the highway (3, Informative)

Lumpish Scholar (17107) | about 12 years ago | (#3213740)

(1) Line up a serious alternative ISP. Talk to their sales department; see if they do the same thing.

(2) Talk to your ISP's sales department. Tell them your problem. Tell them you're ready to move. (Perhaps ask what the hit rate of the cache is, that is, if the overhead is worth it for them.) See if they offer any accomodation.

(3) Go with the ISP that does what you want.

If you're using them for DSL, you may not have a lot of choice.

(As others suggested, if host resolution is your issue, you could run a local proxy on your 127.0.0.1 interface that converts host names into addresses.)

Re:Their way or the highway (4, Informative)

Jerf (17166) | about 12 years ago | (#3213774)

(As others suggested, if host resolution is your issue, you could run a local proxy on your 127.0.0.1 interface that converts host names into addresses.)

Unfortunately, that's not a complete solution. Example: Compare my home page [jerf.org] versus the IP address [65.196.231.181] that hostname resolves to.

Lots of servers do this.

Re:Their way or the highway (1, Informative)

Anonymous Coward | about 12 years ago | (#3213818)

It's called "name based virtual hosting" and is actually a recommended practice because of the ip-address-shortage.

Re:Their way or the highway (2)

Lumpish Scholar (17107) | about 12 years ago | (#3213913)

Can the local proxy send the IP address in the GET command but the original host name in the Host: header?

Re:Their way or the highway (2)

Dr. Zowie (109983) | about 12 years ago | (#3213778)

Very good suggestions, and I'm planning on doing steps (1) through (3).

As far as a local proxy: that won't work with virtual hosting in a non-ICANN name space. The immediate problem is that I can't retrieve non-ICANN web pages because the proxy tries to resolve the non-ICANN name in the payload, using ICANN DNS. I can always ask for numeric addresses, but virtual hosting (where a server gives you different pages depending on the name you ask for) is widespread enough that there are many web pages I can't retrieve even in principle.

Cheers,
Craig

Re:Their way or the highway (1)

Phroggy (441) | about 12 years ago | (#3213798)

(As others suggested, if host resolution is your issue, you could run a local proxy on your 127.0.0.1 interface that converts host names into addresses.)

Not sure what you're trying to suggest here, could you elaborate? How would this local proxy fetch pages, through the ISP's proxy? If not, then why run a local proxy at all? Keep in mind that translating names into IPs before a request is made won't work for servers using name-based virtual hosts. What did you mean?

Look At It From the ISP's Standpoint (5, Insightful)

ocip (200888) | about 12 years ago | (#3213747)

If you look at it from your ISP's standpoint transparent proxies aren't as evil as you make it sound.

99.9% of the ISPs clients aren't trying to do anything tricky, like this. Of those 99.9%, say, only 40% have a proxy server specified. These 40% get to enjoy faster web browsing--which is probably all they're doing anyway. The other 60% enjoy slightly less quick web browsing, but that's they're own fault, right? They're the only ones losing out, right?

Wrong. The ISP has to pay for bandwidth. The ISP doesn't like the proxy only because it makes browsing snappier, it likes the proxy because it also saves them on bandwidth costs! If the other 60% of the clients were using the proxy they might save 10%, or more, on total bandwidth costs.

You could think of it like this, too: that's 10% more bandwidth available for the clients at no additional cost to the company (apart from the capital for the proxy server). Yes, they're not perfect, but they make a difference. When you weigh the pros and cons, well, it's obviously going to be worth it for the ISPs to have it installed.

You could look around for an ISP that doesn't use a transparent proxy but, as you said, they're becoming more popular. Realise that they're not doing to squash your freedom, but instead to provide better service and to save money.

Re:Look At It From the ISP's Standpoint (2)

Dr. Zowie (109983) | about 12 years ago | (#3213806)

That's a very good point.


What I'm complaining about is that the proxy has a bad failure mode: when the usual resolution method fails, the proxy ought at the very least to fail softly and route the packets like a real router should Unfortunately, it doesn't -- it generates an error message instead.

Re:Look At It From the ISP's Standpoint (0)

Anonymous Coward | about 12 years ago | (#3213847)

This wouldn't work in the case of DNS-conflicts. The only real solution would be to add an http-header which tells the proxy which server to connect to, numerically. That would of course cause some serious cache poisening issues.

Re:Look At It From the ISP's Standpoint (1)

vsavkin (136167) | about 12 years ago | (#3213906)

This wouldn't work in the case of DNS-conflicts. The only real solution would be to add an http-header which tells the proxy which server to connect to, numerically.

Additional headers are not needed. Just use destination IP from packets sent by the client.

That would of course cause some serious cache poisening issues.

Unless proxy identifies an object not by URL alone but by (URL, server_ip) pair. Unfortunally, in this case content from sites which use DNS round-robin for load balancing will be duplicated in the cache, thus making caching less efficient.

Re:Look At It From the ISP's Standpoint (1)

ocip (200888) | about 12 years ago | (#3213902)

I'm all-for this kind of smart handling, but most ISPs don't write the proxy software (or any other software, usually) they use, so it would have to be implimented in the package they license.

Re:Look At It From the ISP's Standpoint (0)

Anonymous Coward | about 12 years ago | (#3213828)

Then the right thing to do for the ISP would be to require explicit proxy usage and completely block port 80 and sell it as such, not as complete, unfiltered internet access.

If proxy usage is expected to be no problem, let it be explicit, if the ISP wants to enforce it, they may do that with filtering, but transparent proxying is a way of lying.

Re:Look At It From the ISP's Standpoint (2, Informative)

ocip (200888) | about 12 years ago | (#3213891)

It is much easier for an established ISP to simply implement a transparent proxy, rather than to have all of its clients configure their browser to use a proxy. Remember, only 40% have it configured already. 60% don't. And, of that 60%, maybe 5% have even heard of it before. It really, REALLY sucks to have thousands of customers calling a support desk to configure their browser to use a proxy.

Re:Look At It From the ISP's Standpoint (0)

Anonymous Coward | about 12 years ago | (#3213922)

i currently work at the helpdesk for a Local Bell Monopoly (i'm in the south), both DSL and Dialup. DSL. trust me, we like browser issues--they're quite easy!

ISPs required by law to block port 80 in Singapore (4, Interesting)

tangent3 (449222) | about 12 years ago | (#3213761)

Here in Singapore, ISPs are required by law to block port 80, forcing all outgoing http requests to go through a proxy server (which filters out webpages which are deemed unsuitable for Singaporeans to view, including www.playboy.com), or to have a transparent proxy server blocking out such requests.

This has caused me many problems before, when my IP gets determined wrongly by the remote site (which naturally thinks takes the proxy server's IP for my IP address). Some applications don't like the transparent proxy either, for example Frontpage Extension (not my choice to use!), and an autopatching program which refused to download the latest version of a file, insisting on downloading only the file cached in the proxy server until the cache gets flushed.

The only real method of bypassing the proxy is to use another proxy server (since 8080 isn't blocked) outside the ISP's network. This tends to be really slow though.

I guess I have to live with this until the government one day realises that proxy servers cannot stop the people from viewing pr0n, and it's probably not worth maintaining the proxy servers to meet the demands of all the net users in Singapore, not to mention maintaining the list of sites to block.

Re:ISPs required by law to block port 80 in Singap (2)

SomeoneYouDontKnow (267893) | about 12 years ago | (#3213858)

OK, this is a bit OT, but since you're from Singapore, I'm curious about something. I know that when filtering was proposed there, many people weren't happy about it. Has there ever been a move to form something akin to the EFF to protest this, or is the political situation still such that doing this would get you hauled into court by the government?

The whole political situation there baffles me. More repressive governments have been forced to reform by popular protests. Why hasn't it happened in Singapore? You'd think that, with the extent to which the country is connected to the rest of the world, people would see what's happened in places like Indonesia, Thailand, Yugoslavia, etc. and want to do the same.

corrections, suggestions, etc (5, Informative)

MattW (97290) | about 12 years ago | (#3213762)

First of all, the phrase "routing" is a misnomer. Web caching is something that happens on the application layer of the OSI model, layer 7, whereas "routing" refers to layer 3, which supplies IP routing for the TCP/IP protocol suite. What's broken is their caching, their cache server, or their proxying; pick a term.

Second, there's a lot of ways around it which involve tunnelling.

Tunnel to another box running a non-broken web cache. I used to tunnel my http traffic through ssh to my colocated boxes, which ran adzapper, and proxied through that.

Tunnel at the IP layer by running any IP-in-IP encapsulation. If you have some version of windows, for example, you might convince someone with a server to run a PPTP server for you somewhere and you could tunnel through that. There are even Free PPTP Servers for Linux [poptop.org] available to help.

Find someone who runs a little proxier for their own net with socks, and bounce off their socks proxy. Someone you know no another ISP probably has Wingate or the like running, and if they allowed it (and on some older version, it will permit this by default), you could set your browsers SOCKS settings to bounce off their proxy server, and since SOCKS isn't on port 80, your ISP will probably ignore it.

There are also a number of things you might discuss with your ISP to resolve the issue.

Suggest that they switch to a less broken cache server. (Squid [squid-cache.org], anyone?)

Suggest that they exempt you specifically from the cache server by telling it to ignore your ip address.

Note that they have an obligation to make sure their caching software doesn't interfere with your browsing; so it will be necessary (and not cost-effective for them) for you to call for every problem you notice.

Obviously, you'll need to probably speak to a whole number of supervisors, and probably eventually get transferred to a "real engineer", and they will probably hack in a fix (like exempting you only) rather than truly deal with the problem.

If all else fails, then you may want to try issuing ultimatums, like, "If you can't fix this problem, then you can cancel my service." Tech support people are lazy, however, in some cases, and may just opt to cancel you. This is a harsh reality in the world of consumer bandwidth -- and it will be worse, soon, with bells closing their DSL lines to competition, meaning unless someone else builds a telephony infrastructure to you, you'll probably pick Cable vs 1 DSL provider, and if you don't like something at either of them, you're just out of luck.

Re:corrections, suggestions, etc (2)

Dr. Zowie (109983) | about 12 years ago | (#3213790)

>First of all, the phrase "routing" is a
>misnomer. Web caching is something that happens
>on the application layer of the OSI model,
>layer 7, whereas "routing" refers to layer 3,
>which supplies IP routing for the TCP/IP
>protocol suite. What's broken is their caching,
>their cache server, or their proxying; pick a
>term.

Thanks for the helpful comment!

What I'm complaining about is that their router (layer 3) routes all port-80 packets to a cache server that looks at the payload only (layer 7) and not at the header at all. In short, they're not routing correctly; they've broken the layered structure of the protocol.

Re:corrections, suggestions, etc (2)

MattW (97290) | about 12 years ago | (#3213813)

Possibly. There's a decent chance that the cache server is actually responsible for passing all the traffic, actually. A lot of routers can't properly route-cache if you try policy-based routing (which you must in order to route by port and not just destination IP + routing table). So ALL packets get passed through the cache server, but it just forwards non-port 80 traffic, since a mere receive/send is very quick, as its routing table will likely consist of only a dozen or so entries (the vast majority of which will be its default route out), and the cache server is likely to be sitting between their backbone routers which have to maintain BGP tables and the DSL lines/etc in question.

Be sure to try the other helpful suggestion I read of trying port 65616 (that is the right port, btw) -- if your proxy server is stupid, it might pass that on. Of course, you'd have to type it into your URLs a lot, but it is still a way to get around the cache when you need to, if it works.

Re:corrections, suggestions, etc (1)

vsavkin (136167) | about 12 years ago | (#3213860)

A lot of routers can't properly route-cache if you try policy-based routing (which you must in order to route by port and not just destination IP + routing table).


If you mean Cisco routers, that's why they invented WCCP. It's the most effective way to make cisco route port 80 packets to a proxy server.

Re:corrections, suggestions, etc (0)

Anonymous Coward | about 12 years ago | (#3213861)

He does not have a problem with the cache interfering with his request as such. He can't make the proxy connect to the right webserver. That is a problem related only to domain names and their resolution to ip-addresses. To connect to a webserver on the standard port 80, you have to send a SYN-packet to that server's ip-address. That (and all subsequent packets of the connection) are intercepted by the proxy. There's nothing you can do to avoid that, as ip-packets don't carry port numbers higher than 65535 (16 bit).

Re:corrections, suggestions, etc (1)

jhanson (463867) | about 12 years ago | (#3213895)

I'm not sure if using squid would help. It looks to me like the problem is that when requests are made from openNIC, they don't work. Installing squid wouldn't help because it wouldn't be able to resolve openNIC names either. However, it might be worth asking them if they could add an openNIC nameserver.

Re:corrections, suggestions, etc (5, Interesting)

Phroggy (441) | about 12 years ago | (#3213912)

Tech support people are lazy, however, in some cases, and may just opt to cancel you.

Au contraire. Tech support people are tired of listening to customers whine about problems that tech support people cannot fix. If customers have unreasonable expectations, and refuse to listen to us, it's far better for the company if they just cancel service and go elsewhere (becoming somebody else's problem).

Also, non-chalance about canceling service is sometimes the best way to make customers understand that we really are doing our best to help them, and we're not just blowing them off. Sounds weird, but here's an example:

Customer has a problem with their DSL service. We've identified that the problem lies with the phone company. Phone company has given us a commit date of Tuesday by end of business day for repair to be complete. For whatever reason, the customer feels like they've been dragged around, and their service isn't getting fixed. Customer says if they're not up and running by 9:00am Monday morning, they're cancelling service.

Customer expects us to bend over backwards to get them up and running by 9:00am Monday morning. We can't. There is absolutely nothing we can do. It's out of our hands. Customer needs to understand this. Customer will have the same problem at any competing DSL ISP, but we're the ones who have identified the problem and are getting it fixed.

We respond by repeating to the customer that we have been given a commit time of Tuesday by end of business day, but that we cannot guarantee that the issue will be resolved by then. We then offer to the customer that if this is unacceptible and they'd prefer to cancel service, although we'd hate to lose them as a customer, we'd be more than happy to transfer them to someone who can take care of that.

This has the effect of making it clear to the customer that we really mean what we say. Usually, they shut up, keep their account, and let us do our jobs. Often, they'll ask to be transferred to get the account cancelled, then hang up during the transfer.

The alternative is to offer the customer incentives to try to convince them to stay with us, such as offering a free month of service, or a credit on their account. This costs us money, and gains nothing - if the customer has the expectation that we're willing to give him free service, he'll try to take advantage of it in the future. Far too many ISPs have failed for this very reason.

At the last few ISPs I've worked for, nearly all my coworkers have been genuinely interested in helping the customer, and we've been fortunate to have management that allows us to do so. I understand that at some companies this is not the case; those are obviously the ones to avoid.

Sorry for ranting. Getting back on track: ultimatums like "if you don't fix this problem, I'll cancel my service" sometimes are a good idea. That will tell you whether or not you can get the issue resolved. Be prepared to actually cancel, because if they can't resolve the issue, that's what will happen. If they can but just don't want to, threatening to cancel may just be the incentive they need to get it done.

The REAL solution (2)

Reality Master 101 (179095) | about 12 years ago | (#3213769)

The BEST solution that unfortunately will never be implemented is to allow specifying a port number in a DNS lookup. Then when the browser or e-mail looks up the address, one could also specify a port that you want.

Unfortunately, this ain't gonna happen without a rewrite of everything.

Re:The REAL solution (2)

Reality Master 101 (179095) | about 12 years ago | (#3213777)

Actually, I mis-read his question. Apparently his problem is outgoing port 80, rather than incoming port 80 block, which is what I'm addressing.

Re:The REAL solution (0)

Anonymous Coward | about 12 years ago | (#3213844)

What will be improved by this? DNS may be manipulated by the ISP to, even if people don't use their ISP's DNS: it can be transparently proxied as well.

What brand of transparent proxy is it? (3, Interesting)

billstewart (78916) | about 12 years ago | (#3213789)

Do you know what brand of attempting-to-be-transparent proxy cache server they're using? Proxy caching is an important performance enhancer for ISPs, corproate firewalls, and other bottleneck network environments, and "transparent" proxies are less trouble for the ISP and for the users as well (especially since many users wouldn't bother configuring their browsers for them unless either they're pre-configured by the ISP or forced to use the proxy by firewall rules that block non-proxy access.)

Of course, the problem with transparent servers is when they're not, and your ISP seems to have one that isn't. Is it possible to find out what kind it is, either by telnetting to the thing and looking at headers or by asking the ISP, and can you do bug reports to the vendor to get them to fix their product?

Re:What brand of transparent proxy is it? (0)

Anonymous Coward | about 12 years ago | (#3213831)

The issues he has with his ISP's transparent proxy can not be worked around.

This saves LOTS of bandwidth (4, Insightful)

theCoder (23772) | about 12 years ago | (#3213805)

My college [purdue.edu] has a similar set up because it saves an incredible amount of bandwidth. It's not to be mean, or malicious, or spy on your browsing habits, it's just to save bandwidth. And it does (I wish I had numbers to back this up, but I don't run the proxy).

There have been problems with the proxy in the past (it not returning any data) and there are still some minor issues, but on the whole it works well (in that you don't ever notice it).

It sounds like the ISP in question has a bug in their web cache code. If the web cache doesn't have the particular URL cached, it forward the request to the intended destination. I'd bet it's trying, but it can't lookup whatever OpenNIC URL is being specified (because it doesn't use OpenNIC). The ISP really should report this bug to the manufacturer.

My advice is this -- get the ISP on your side to fix the problem. They won't remove the proxy, and they shouldn't have to if the bug is fixed.

Re:This saves LOTS of bandwidth (1)

isj (453011) | about 12 years ago | (#3213874)

I have some numbers. I run squid locally.
$ fgrep HIT access.log|wc -l
3410
$ fgrep MISS access.log|wc -l
5850

Isn't it IP-based if OpenNIC already resolved? (0)

my brain hurts (451541) | about 12 years ago | (#3213807)

If you're using an OpenNIC DNS, shouldn't the client computer already have the IP address of the appropriate server? The request should be going out to an IP address, so I don't see why the ISP's proxy would want to interfere.

For example, if I typed http://64.28.67.150 into my browser, would the ISP's cache try to resolve that? or would it just forward the request to that address?

another example of this (0)

Anonymous Coward | about 12 years ago | (#3213812)

I have Cox cable modem (since @Home is dead). One day I found that I could not get to
http://www.cryptome.org via a web browser. I thought maybe the site was down, but I was able to get to it via a web proxy, and also ping www.cryptome.org was working. Does anyone know what this means? Just a bad DNS server along the way, or malicious blocking? Th web browser reports: HTTP Error 403 - Forbidden.

Qwest once had a transparent proxy in Des Moines (1)

ddkilzer (79953) | about 12 years ago | (#3213830)

Qwest Communications [qwest.com], before selling dial-up and DSL customers [slashdot.org] to MSN [msn.com], once had a transparent web proxy set up in Des Moines, Iowa. All outgoing HTTP traffic to port 80 was routed through the proxy.

The worst part was that when the proxy went down, packets continued to be routed to it, but tier 1 tech support personnel (located in another state--probably Minnesota) had no idea that the proxy even existed. The only way to work around it was to use a web proxy somewhere on the Internet that did not operate on port 80!

Qwest finally removed the transparent proxy shortly before switching customers to MSN. I eventually switched to Mediacom cable modem [mchsi.com] at home and McLeodUSA DSL [mcleodusa.com] at work.

AOL ignores ports (4, Interesting)

Anonymous Coward | about 12 years ago | (#3213833)

AOL's transparent proxy is a little worse. It ignores the port and proxies anything that looks like HTTP. Of course, they deny having a transparent proxy, but I was able to watch packets leaving our network headed for AOL and then watch altered packets come back from AOL.

I stumbled across this when their proxy had some trouble with the cookies we were using and suddenly no one on AOL could use our service. A few minutes later they could again. Then they could not. During this time, I was running a packet logger on the outgoing traffic from our server and on the incoming traffic to a workstation I had connect to AOL. Everything worked find until the server sent the cookie. Then AOL suddenly stopped sending more packets. This occured on every port I tried, even ports reserved for other services.

The behavior is correct. (5, Informative)

xanthan (83225) | about 12 years ago | (#3213835)

The web cache is exhibiting correct behavior. When a forward proxy cache (transparent or not) gets a request in the form of GET http://www.site.com/ http/1.1, it will use the www.site.com address instead regardless of what original dns name you went to (www.google.com in your example). In the transparent case where the GET statement looks more like GET /content.html http/1.1, it will use the original destination address.

In other words, it's your client that's broken. See RFC 2616 for details.

The unfortunate truth is that more often than not, sites simply don't set their cache controls correctly. They forget that caches don't exist just on the server side but that they exist on the client side as well. Section 13 of RFC 2616 explains how they work in great detail and it really should be mandatory reading for any site administrator.

If you're still looking for more information on web caching, check out Content Delivery Networks by Scot Hull. It was just released and is available on Amazon. There is an enlightening section on web caching that should clearly explain why what you're seeing is in fact correct behavior.

Kaputt = kaputt (0, Troll)

Pussy Is Money (527357) | about 12 years ago | (#3213837)

First of all, this has nothing to do with "Port-80 routing", whatever that means. Second, if you ISP won't allow you to bypass their proxy, then your ISP is screwed, and any workaround you choose to implement will be so fragile and/or cumbersome as to be unusable. There is no third.

Port Blocking (1)

Aknaton (528294) | about 12 years ago | (#3213845)

My very lame ISP, AT&T Broadband, blocks my incoming port 80. What can I do to get around this?

Thanks!

Re:Port Blocking (1)

phebz23 (156640) | about 12 years ago | (#3213909)

Probably get a different ISP. If you just want to serve web pages, you could always set up your web server to listen on a different port, like 8080 for example.

How to find a transparent proxy's IP address (2, Informative)

ddkilzer (79953) | about 12 years ago | (#3213853)

If you want to find the IP address of a transparent proxy, simply point your web browser at a web page that will print out "your" IP address when you request a web page. Instead of printing the IP of your firewall or your host, it will print the transparent proxy's IP address.

For example:

After that, you may be able to do some more investigation into what kind of host it is and/or what kind of software it is running. (This is left as an excercise for the crac...err, reader.)

Re:How to find a transparent proxy's IP address (2, Insightful)

Bender Unit 22 (216955) | about 12 years ago | (#3213865)

Not for sure, most proxy/switch solutions can do ip-spoofing so the remote webserver can't detect it. This is often done to avoid user/login problems on systems that base parts of their security on IP's. If the site then has it proxy rules set correct in the meta tags or header information, the "hidden" proxy won't cause any problems or cache any information.

It's in the layers. (4, Informative)

Bender Unit 22 (216955) | about 12 years ago | (#3213854)

Normally what you do is to do layer 4 switching but note that you can do do switching on layer 7 as well, which means you can have the switch do url based switching so that a part of the url determines that it should get switched. This requires much more power and is mostly done for server switching like load balancing.

What happens in your case might be that they have placed a switch that can do at least layer 4 switching, between you and the internet.
What then is done is that all port 80 requests coming from the clients side(you) are re-directed to the proxy which means that http requests on other ports will not be cached. Note that anonymous ftp can also be proxied.
A "clever" proxy/switch solution can do ip-spoofing so the webserver gets your IP adr. and sends it back to you directly, but as there is a switch inbetween, it redirects the result to the proxy which then sends the result back to you.

A way to avoid it is to get a gateway somewhere that can channel your http traffic, you could set your browser to use this gateway as a proxy on any port. The switch will most likely not act on the traffic coming on this port an pass it though.

The easy way would be installing a proxy server on a box that you have access to on the outside and configure it so that it won't cache anything.

Sounds like Cisco's WCCP (1)

Krakken (5124) | about 12 years ago | (#3213869)

I just implemented a Cisco CE507 at work. WCCP on our core Cisco router redirects port 80 to the cache engine.
Save bandwidth and speeds deliverly of often viewed pages.

How can you detect transparent proxying? (2)

dfelznic (8812) | about 12 years ago | (#3213899)

Hello,
How can you detect transparent proxying? Or opaque proxying?
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...