Slashdot Mirror

Tor isn't magic pixie dust, and is easily blocked. (Tor even publishes a constantly-updated list of Tor exit nodes)

My employer has its notebooks configured to only allow connections through the corporate VPN if you're not at an office. For fun, I've tried blocking connections to the VPN, to see of other traffic works; unsurprisingly, our admins did their job well.

As soon as an admin forces all outgoing traffic to go through their monitored http(s) proxy, you've lost anonymity - at a minimum enough to get yourself fired for violating the company acceptable use policy.

Even Squid allows monitoring of https, which shows that a proxy can foil https as well.

squid is worthless nowadays as everything is https, unless you are intercepting and decrypting the traffic using squid's SSLbump.

If you want to selectively block media types, you can do that using a browser extension installed on each PC. Or you can set up a proxy on localhost on each PC and have the browser installed on that PC trust that proxy's root certificate. Then you're back down to two parties being able to see the communication: the client and the localhost proxy, and the server. This regains blocking by media type but loses a shared cache.

It's also possible to configure your Squid proxy to behave differently on sites that are unusually privacy-sensitive using a stare rule. Log the SNI field of each ClientHello message from your proxy's clients. Build a list of which hostnames ought to be cached (high-traffic sites) or not (financial or medical sites), and be transparent with your users about the process of building this list. Bump (MITM) the high-traffic sites so that you can cache them, and splice (tunnel) the sensitive ones so that you can reassure users that your proxy isn't snooping this particular connection. The user will be able to tell whether a connection is through your proxy by looking at who issued the certificate. For example, in Firefox, one can click the lock in the URL bar, click the right arrow, and read "Verified by:".

On the other hand, see replies to bigjosh on Coding Horror Discourse, who expressed the same need for caching. One of the replies expresses a possibility that the fact of having read articles about a particular subject on Wikipedia might itself be sensitive even if Wikipedia is public and cacheable.

> I bought a half dozen of the RPi kits when they came out and I've only unboxed one. I played with it and did exactly nothing of value with it. I keep meaning to pick it up and learn more but I can't actually think of anything I'd want to do with it or with the rest of them.

--There are *lots* of things you can do with a PI that are pretty neat. If you already know Linux, you can just leave the board up and running 24/7 with minimal power expense.

--I chose to implement my Squid server on a Cubieboard instead, but you can do basically the same with a PI.

--Some links to get you started:

https://communities.vmware.com...
^^ This is a complete drop-in Squid Vmware appliance that I created. Once you get a Linux distribution installed on the PI, you can install the Squid package on it as well and copy the config files over.

http://www.squid-cache.org/

http://www.instructables.com/i...

http://www.pcworld.com/article...

http://www.itpro.co.uk/mobile/...

http://www.digitaltrends.com/c...

--Your local LUG (Linux User Group) should be able to help you get started and maybe give you some ideas on what to do with the board(s). HTH

https://en.wikipedia.org/wiki/...

--I recommend you designate a Saturday (or whatever day is $convenient) and resolve to do something with at least one Pi board. Feel free to email me with progress reports ;-)

http://www.squid-cache.org/

Firefox most secure? No! No! No!
They dont care about security.
Look at this bug and think again.
While Chrome can connect to proxy over https, Firefox cant. And wont any soon i guess.

Since you're in such a remote area, your visitors very likely also have slow connections at home too. Why not cache the updates instead? You'll be contributing towards a safer, more secure internet.

The first person who downloads them would cause a drain on the network, but at least all future attempts would be served up from your cache. You could even have a spare machine downloading the updates overnight, pre-populating the cache for your visitors, to reduce the burden updates cause during the day.

I've used the instructions here with great success on Squid: http://wiki.squid-cache.org/SquidFaq/WindowsUpdate

Apparently Apple iOS updates can be cached too, e.g.: http://lkrms.org/caching-ios-updates-on-a-squid-proxy-server/

They also dont care about security. While Chrome can connect to secured proxy, FF can't and i think it won't any time soon.
This is the reason i have to recommend Chrome to my users as the (most) secure browser

But... how do you KNOW they're doing what they say they're doing? Really? Without an intentional MiTM machine you can use to analyze what is ultimately being sent upstream to SpiderOak, you can't be sure.

Remember too, peeling apart and masquerading SSL/https sites is VERY easy to do, including certificate forging. Many companies do this today to decrypt (yes, decrypt) SSL traffic to then scan the plaintext content of the request. Heck, you can even set up Squid to do that if you want.

http://blog.blackfoundry.com/2011/06/02/break-open-dropbox-ssl-traffic-with-squid-proxy/

http://www.squid-cache.org/Doc/config/ssl_bump/

Source? It's true for disk cache because you're limited to random seek and read speeds, but shouldn't be for SSDs.

Just go and ask. I would have to post long and complicated chat logs which present criteria much more complicated than I mentioned.

irc://chat.freenode.net/squid

You should also read the FAQ to get an idea of the RAM limitation associated with a large cache.

http://wiki.squid-cache.org/SquidFaq/SquidMemory

Yes, you can override the no-cache headers in Squid. Use a refresh pattern and ignore or override the headers the server sends to defeat the cache:

http://www.squid-cache.org/Doc/config/refresh_pattern/

Squid works fine with Kerberos and AD authentication. And since Vista and Windows 7 are a pain to setup Proxy authentication on Squid ntlm_auth most people should be using Kerberos or digest right now.

http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos

Transparent proxies work just fine.

How?

Tproxy. We use it all the time on our customers' networks.

Transparent proxies require that the router redirects the relevant packets to them instead of the real server

Correct.

(DNAT target on iptables) and would not work without NAT, unless the DNS requests also got intercepted

Incorrect. No NAT required. The TPROXY netfilter target will intercept matched traffic and send it to a local process instead - no NAT happens here, the packet just gets _routed_ to a local process with the original IP and TCP headers unmodified.

If your proxy is not on the gateway router machine itself, then you have 2 options:
1. Add routing rules to the border router to route the appropriate traffic to the proxy (where it will be intercepted by the TPROXY target). If there are other routers between the proxy and the border router then these need the same rules, which can be a little messy so we only usually use this option if the border router and proxy server are on the same subnet.
2. Do (1), but over a GRE tunnel between the border router and the proxy so that any routers between the two don't need to care about special routing rules.

On the whole, because no connection tracking is involved, you don't need to care about avoiding asymmetric routing so this works out easier to manage than using DNAT to redirect the traffic (for this reason I'd advise against using DNAT to implement transparent proxying even in IPv4-only situations).

Make subnet the schools machines on unroutable. Setup a squid http://www.squid-cache./ proxy and use http://www.squidguard.org/ http://www.squid-cache.org/. Point all machines at the squid cache. It is how my friend got threw teen years with his kids. The easier approach: K9 Web Protection - Free Internet Filter and Parental Control ... www.k9webprotection.com/ is another interesting choice. Still a lot of arguments are correct, sometimes it isn't worth trying to sanitize things, better to try to learn about them.

yeah, me too. while it's probably better to have the high-precision timestamps, for me it's more useful to have them readable.

I have the same problem with squid logs - they use unix time_t with milliseconds for the timestamp. more precise but less readable. I filter the lines through a small perl script to reformat the dates when i need to tail or process them:

#! /usr/bin/perl -p
use Date::Format ;
s/^\d+\.\d+/time2str("%Y-%m-%d\/%H:%M:%S", $&)/e;

this is similar to what is mentioned in http://wiki.squid-cache.org/Features/LogFormat but with the improvement (IMO) that the timestamp still only takes one column (compared to localtime() making it take 5 columns), so it doesn't mess up other processing scripts that depend on the detail being in specific columns)

from this;
1322779413.527
to this:
2011-12-02/09:43:33

It would be annoying to have to do that for syslog logs too. I don't really need millisecond precision for my system logs anyway, near enough is good enough. All i need is accuracy and consistency across multiple systems - and ntp gives me that.

Well, they can still MITM the connection, since they have the power to install their own CA certificate on the employees' computers.

Squid has SslBump and Dynamic SSL Certificate Generation for such purpose.

Well, they can still MITM the connection, since they have the power to install their own CA certificate on the employees' computers.

Squid has SslBump and Dynamic SSL Certificate Generation for such purpose.

..Squid?
http://www.squid-cache.org/

Squid works well as a transparent proxy, when used in conjunction with a log parser, might be just what you're looking for.

Speaking of squid, its 2011, is squid ever gonna support ipv6? There's not much software out there that doesn't support v6, and squid is probably the most famous.

http://wiki.squid-cache.org/Features/IPv6

Thank you for researching that.

Hurray for squid-dy... I'll mosey on over to http://packages.debian.org/search?keywords=squid and install it... Oh... I see.

Apparently ver 3.1 will probably be release with the next version of Debian, but not yet available, not even in unstable. Till then its 2.7..

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=299706

Speaking of squid, its 2011, is squid ever gonna support ipv6? There's not much software out there that doesn't support v6, and squid is probably the most famous.

http://wiki.squid-cache.org/Features/IPv6

You probably downloaded it from here

Debian bug regarding TPROXY, SNAT, DNAT

This site suggests that TPROXY patches are available to support IPv6, though I don't know exactly how that relates to SNAT/DNAT.

HTH,
-l

Squid sounds kind of like what you're trying to get at. It's a web proxy for HTTP/FTP. Frequently-requested pages are cached locally, so if an ISP runs it, then they can avoid querying out to the wider Internet and avoid all the extra hops associated with that.

It could probably be extended (heck, maybe some ISP privately has, or done similar work thereof) to include the BitTorrent protocol: each torrent has a unique identifying hash, so it's theoretically possible for an ISP to monitor a swarm and cache each piece and serve it back via a proxy if traffic on a particular torrent starts to get extremely high.

Now, if you were pirating Copyrighted Movie of the Year, would you really trust your ISP to be sitting there with:

• The data contained in a file, to prove that its content is Copyrighted Movie of the Year,
• A reliable link from a given hash to that data, and
• Logs that could be used to prove that you downloaded that data from a torrent with that exact hash?

Most people probably wouldn't, even if the ISP did set it up for the pragmatic purpose of keeping their network snappy. Protocol Encryption (PE) was added to many clients primarily because of traffic-shaping ISPs, but this would give another really good reason for pirates to encrypt their streams. And if a study were to come out that suggests that an overwhelming majority of BitTorrent traffic consists of infringing content, there's an observable incentive to use PE, which would really mess with an ISP's BitTorrent proxy. (This story isn't so much a "study" as it is "silly", for reasons you only need to scroll up in the thread to find.)

USENET is the same, of course. In fact, ISPs often already do run their own NNTP servers for their customers to access, though many don't carry the alt.* hierarchy which contains a lot of the huge data files. For that, you can hit up third-party providers, and it's again up to the ISP to determine if it's worth caching via proxy, and it's up to the consumer to determine if the risk that the ISP is doing that is worth end-to-end encryption. Again, any third-party USENET provider worth their salt provides the option for SSL encryption.

There's a theme here: wherever an ISP could potentially step in and cache data a few hops closer to the user, the user has the option to encrypt traffic so that the ISP can do nothing but forward the data through, as it's pretty much useless to them.

This is a good thing, for so many reasons other than keeping pirated activity hidden, and that's why you will see the same huge data files getting transferred over the Internet multiple times over, and a contributing factor to why it might be a good idea to treat the ISPs like common carriers.

I'm currently using Privoxy, which allows domain and URL-based wildcard blocking. It can even rewrite the content of pages on the fly, spoof the user-agent, and remove the "referrer" header. It runs on windows or nix, you can have your DHCP server assign it as the proxy, or you can transparent proxy if you want.

I had used Squid previously, it did the job, but was overkill for the simple blacklisting capabilities I needed.
Before Squid, I had a Windows DNS server, and would add SOA records for bad domains (this was fairly simple through the DNS admin interfaces), I tried doing it on Linux, but it seemed to be more pain that it was worth.
One issue I discovered in the windows solution, was the damn thing was flooding the root DNS servers trying to update the records for the blocked domains (there was a setting to disable this, I don't remember it).

How could you set a proxy preference in Firefox, and not allow it to be changed by the user?

Use a transparent/intercepting proxy like Squid. As numerous organizations do. What web browser you're using and what its proxy settings are should be irrelevant. Whenever I see a visible proxy that's an indication to me I'm dealing with amateurs.

---

Marketing talk is not just cheap, it has negative value. Free speech can be compromised just as much by too much noise as too little signal.

Part of the point of anyone doing streaming video (or audio) is that the data doesn't touch the hard drive thus preventing (casual) recording, only screen captures of single frames.

Most streaming media can be downloaded to the hard drive easily. Have you never heard of
Streamripper?

If the protocol is HTTP, Squid can be configured to always cache large files. As a last resort, the simple BSD licensed PacketProxy program can intercept TCP connections on any port.

Keeping Squid alive is easy... make sure to feed it properly, meet the hardware requirements, ensure ample access to water, and follow basic care guidelines.

Don't abuse or torture your squid.

While not a fix-all, squid can alleviate most all of the headaches involved with v6 v4 communication when it comes to HTTP (also known as "the internet" by the masses).

Squid is v4 and v6 aware, which means if you have an IPv6 host using squid, it can talk to an IPv4 host. If you have an IPv4 host, it can now talk to an IPv6 host as well. The only downside here is that it requires configuration of the proxy in the browser directly, you can't (easily, without DNS spoofing) transparently proxy all requests. Fortunately, this is generally not an issue for any business with a competent network admin staff.

Considering how many networks already deploy squid..

But guess what, if you understand NAT, you will NEVER have to upgrade past IPv4, because you will NEVER run out of IP Addresses. NAT is just the flexible approach to the problem that alot of people don't like because they don't understand.

Meanwhile, back in reality...

In abstract, NAT treats addr+port as a 48-bit address, so you're effectively trading ports for address. That means you only get one port 80 per public IP, so forget having more than one webserver (unless you can somehow get your visitors to go to http://www.example.com:8080/ ).

Incorrect. Had you said you only get one port 443 per public IP, I wouldn't have an issue, but HTTP traffic is easy to "route".

Every P2P app, every Skype, every game server, every random application you want to post has to have a unique port number across your entire network.

Can you really not see why that sucks in comparison to IPv6 which lets every machine on your LAN listen on the whole 2^16 port range as your firewall allows?

No argument from me here.

People who don't understand NAT at all like IPv6. People who only barely understand it, like yourself, think IPv4+NAT is spiffy. People who actually understand NAT and what it implies think that it needs to be taken out back and shot.

Every tool has a purpose. NAT is fine for a home, a small business, or an arbitrarily large network of strictly client computers.

Given this is server side technology, I presume it's not part of the opera web browser. Sounds like they're using a proxy server with gzip added. There's a beta stage patch for squid to allow you to do that yourself http://devel.squid-cache.org/projects.html#gzip

I'm playing with mesh node wifi routers, setting up a small mesh near where I live.

Something like this would be awesome as an itty-bitty squid server, to cache users' commonly browsed web content within the mesh itself. The open question would be whether the cache itself should reside entirely on a RAM disk to keep down access times, or whether the flash disk is fast enough. I'm guessing the former.

Even if firefox didn't have addons, all it would take is a proxy filter to remove the ads and spyscripts. The proxy can run locally on the same machine as your browser, and you tell the browser to pass all the web page requests to the proxy. For example, I use Polipo to speed up web browsing, and of course there's the old squid that's bundled with every distro.

The only reason ad blockers prefer to run as a browser add-on is because the HTML page can be accessed easily using the DOM and javascript. If an ad blocker were to run inside a proxy, it would either have to filter the raw HTML like everybody did in the old days, or the proxy program itself would eventually evolve to expose the DOM as a service to various filtering modules.

If the OP is using a linux router/gateway machine, why not use something as simple as squid-guard?
http://www.squidguard.org/
http://www.squid-cache.org/
Blacklists here: http://www.shallalist.de/
It allows for customization (trusted/untrusted) and seems to be very effective. Good luck!

Have you considered any other means of reducing network load? For example, Squid? A significant portion of your traffic is likely your users visiting the same content-rich websites, like MySpace, Facebook, Youtube, etc. If you can locally cache this content (especially the Flash stuff) you'll probably see a large drop in load.

Squid does a wizard job of that, once you learn to configure it. Nifty Ubuntu instructions too. And you'll need to look up access control limits too. It's not a big deal, just a bit touchy at times...

Really simple way to illustrate the problem to people - If you were to use the full capacity of your connection, you would only be allowed about 15 hours a month of activity. Now, to be somewhat fair to Charter, et. al., most people don't come close to tapping the actual capacity of their internet connection anyhow - in my experience, most file servers and web sites won't download files to me at close to the full connection speed. Streaming HD video only needs about 2.0Mbps, I think. VoIP/Webcams take maybe 1Mbps. Online games need low latency, but I don't think they actually use up that much bandwidth - maybe what, like 100-200 Kbps?

15Mbps service is nice, though, because it does mean I can be using Teamspeak, downloading files in the background, and watching an HD movie all at the same time.

I suppose these caps will hit people who heavily use P2P file sharing though. You know, I wonder - do these caps include same-network traffic? I think it would be tremendously intelligent (so it probably won't happen) for ISPs like Charter, Time-Warner, Comcast, etc, to try to work with P2P software providers to develop clients that preferentially 'bias' P2P traffic to stay within the same ISP network where possible. That is, if a torrent or other p2p client where trying to find a source to download the files from, it would try to pick other clients on the same network to transfer from - of course, that's only helpful when you have a lot of people seeding.

Still, the point is, I think that the ISPs could find P2P technologies to be tremendously beneficial for themselves and their customers, if they implemented things correctly. You could extend the P2P concept to cache-ing mechanisms (something like a p2p version of squid, perhaps). I really think that the benefits of p2p technologies are dramatically under-utilized, currently, because most bean-counters hear p2p and think 'copyright thieves'.

Blizzard is one company that has at least 1/2 a clue - it's my understanding that their updated for WoW uses bittorrent to distribute updates to their millions of users - what a great way to help make sure that users don't have to wait for hours for their computer to be able to download updates on patch day because of an overloaded update server (an experience I've had on several occasions with other MMO's that used a 'centralized' update server that simply couldn't handle 20000+ users all trying to connect simultaneously and download a 100MB+ file).

DNS is your friend, especially when your nameserver is declared a master for that domain and the zonefile contains a wildcard record pointing all names to the IP address of your own dedicated nothing-there Web server.

Squid is another option. Actually it is a better option, since you can configure it to read a file of regex patterns and reject URLs based on those patterns. This allow you to block URLs based on the directory/file name as well as the domain name. In addition, you can block other information leaks such as the Referrer header.

Why, you sell support services, of course! There's your money.

I saw that someone had already mentioned it. I am going to agree with them and tell you that installing something like squid, a caching proxy server is gonna be your best bet for helping you to save on your bandwidth issues. http://www.squid-cache.org/ Previous poster who mentioned it also listed the wiki for it. I strongly recommend it if you are serious about trying to save on your bandwidth usage.

Install Squid (or some other form of caching proxy). http://www.squid-cache.org/ Then set your browser to use that proxy. If you're running your own LAN then you could even setup a gateway server that has a transparent proxy (http://en.wikipedia.org/wiki/Transparent_proxy#Transparent_and_non-transparent_proxy_server) as well as NAT. Benefits of using a transparent proxy over setting the proxy in your web browser is that all apps which use http traffic will have it cached (where possible). Also note the https pages are never cached. Of course use AdBlock as well to cut back on traffic you don't want regardless of bandwidth ;) Cheers, Alan.

Install a cache server. Like Squid.

http://www.squid-cache.org/
http://en.wikipedia.org/wiki/Squid_cache /thread.

--
BMO

On the other hand, when your squid stops caching, sometimes dissection is the best way to troubleshoot the problem.

A secure VPN or proxy is a very useful tool if you find yourself using insecure wifi often. Windows XP Pro (and better) offer VPN serving capabilities for at least one user. Alternatively, you could set up a free web proxy on localhost and use Hamachi or OpenSSH for port forwarding. In any case, it's definitely worth the peace of mind knowing that your traffic is at least somewhat obfuscated.

On a side note, I like how you wiki-signed your post :)

Squid, the http caching program, was conceived long before Akamai became a company.

All the services that Akamai propose can be achieved with localized Squid servers. Akamai's only benefit is it's market share, which allows it to provide it's (Squid) services at a lower cost.

These patents have no ground, as the technology was already invented by Squid programmers over a decade ago.

Thank God these US patents are not enforced in the EU.

http://www.squid-cache.org/

Live Patent Free! Contact your Govt representatives to abolish Patent Laws!

Why not just run your internet through your own proxy and remove the ads? Sure, it may be a bit slower, but surely it could be done with something like Privoxy on top of Squid.

• ...is a great abstraction layer for iptables, so writing your firewall policies and rules is more like writing them in English* than straight iptables (although you'll still want to understand iptables enough to debug problems);
• ...uses a modular config, including "macros" for commonly-used rulesets;
• ...allows you to set arbitrary variables, like $WEBSERVER or $ALL_PRIVATE_NETWORKS, which make your rules all the more natural-language-like;
• ...gives you an elegant "did I just compose a firewall that's going to lock me out of the box?" sanity check ('shorewall safe-start' or 'shorewall safe-restart');
• ...offers excellent advanced features like multi-ISP use and integration of bandwidth shaping (using 'tc') in a satisfyingly-straightforward way;
• ...and manages to put firewall admins "on rails" without sacrificing advanced capabilities (see above).

* I have no experience with its internationalization.

No, I'm not on the Shorewall devel team. ;-)

It's just a set of scripts, so it should run on any system that offers iptables and an sh-compatible shell. There are prebuilt packages ("noarch" RPMs, for instance) maintained for most major distros.

Coupled with Webmin (for which there is a Shorewall module available) and add-ons like OpenVPN, Squid, and DansGuardian, this makes for a pretty capable "edge box" that even "non-Unixy types" can manage, provided they understand the OS-independent aspects of firewall management...

(No, I'm not on any of those devel teams, either.)

I've posted my list back about a year ago, and I still use every single one of them every day... (I also describe how to get around a "bug" in FF that forbids non-standard port connections). Check it out here. I also spoke at my local LUG about the same thing in January.

Here's a list of the extensions I'm currently using in my Firefox build (you can see how I have it tricked out with all of my theming and extensions over here):

• Sage, a really slick and fast rss aggregator/reader for Firefox. It docks on the sidebar and is visible with a simple Alt-S keystroke. Very nice, and easy for me to catch up on some quick headlines when I need to.
• AdBlock Plus with the AdBlock Filterset G Updater to stop the flood of useless ads from coming at me. I did have to add one small rule for Google's ads, because I do actually like the recommendations they provide from time to time, and it helps out sites I visit with a little revenue. That regex looks like this: @@*.googlesyndication.com/*
• Web Developer, a very useful and slick toolbar/menu driven suite that allows me to do all kinds of things to websites I'm viewing, including validation, showing where their css classes are, manipulating forms, cookies, images, and dozens of other features. Hands-down, the most-useful extension I have as a developer/tweaker of web content.
• PrefBar, another powerful extension I use every single day. This one allows me to change the capabilities of my browser with a simple click of a checkbox. Want Java enabled? Click. Sick of popups? Click. I have Colors, Images, Javascript, Java, Flash, Popups, Proxies, Pipelining, Referers, Cache on my bar. Its completely customizable, and very well-done.
• SwitchProxy lets me manage and switch between multiple proxy configurations quickly and easily. I can also use it as an anonymizer to protect my system from prying eyes. I have Squid, Squid + Privoxy, Privoxy + Tor and i2p enabled in my configuration at the moment. Quick and easy, and one status-bar dropdown lets me change from one to another.
• FasterFox gives me a little boost by auto-configuring some parameters for faster browsing, such as link prefetching, pipelining, DNS cache, paint delay, and others.
• ForecastFox, weather.. in my status bar. I've changed the icons a bit with a separate icon pack called Lansing, which is nice adn small and out of the way. Minimal is the way to go on my toolbars and status bars.
• Linky lets me open or download all or selected links in a page, image links and even web addresses found in the text in separate or different tabs or windows. A simple right-click on any link or web address, and away I go.
• Google PageRank Status gives me a quick overview of the PR of a site in the current view. This is useful as I do a lot of web work, and knowing what kind of sites get a decent or poor PR is useful information.
• SearchStatus is another SEO toolbar fo

I live in Hong Kong, and indeed it was a huge disaster. I run an online flower shop myself, so we see our daily traffic went flat for the last couple of days. And I can't even ssh into our colo in USA.

Recape of the situation: 6 underground fiber lines were cut. "Foreign" sites like Slashdot, Google, EBay and Yahoo! were dead. Hong Kong based sites, Australia sites and a few European sites like BBC does work, so that give us hope. So...

On day 1 ( 12/28 ): we found out Google Hong Kong still works, and Australia sites work... so we search "australia proxy server" and funny that a few ISPs have open proxies open at 3128 (Looks like Squid Cache to me!). Since we must be an early batch, we feel wonderful to be "the only one" in town to go online, beat the odds and get all the pussies...

One day 2 (12/29): news of the proxies must have gotten out. Yahoo! Answers are full of such foreign proxies lists, and some entrepreneur hackers must have wonderful day, building their own proxies and lured people into using it. Of course your average surfers wouldn't know normal http is unencrypted... Meanwhile our "free proxy" running by that friendly Australia ISP finally adds ACL to block us out... We try installing Google Web Accelerator, and it did no good, and accessing local sites are even slower...

On day 3 (12/30): we start looking for Australia colocation / dedicated server plans to run our own proxy server. Their prices are at least 2 times more expensive than US hosting companies, so we start pinging popular hosting in USA.... ev1servers.net? down. Rackspace? up (but too pricey). Godaddy? up, and lo and behold, they have a cheap $29.99 USD virtual linux plan.

So, we setup our own Squid cache and it finally keeps us reading Slashdot until this day :)

I moved to Linux in 1994 as my primary desktop and server OS. About three years ago I decided that I wanted to produce some video content. Video editing was theoretically possible in Linux - I hooked up my camcorder to my Linux box and did some editing, but the tools were primitive and cofiguration was unusually difficult.

Eventually I looked at OS X and iLife. I decided to jump to a Mac. What a great move!

I found that Linux made it possible to do some things, but OS X made it simple to do them.

Fast forward a few years. I now have a few macs at home - their licensing policy makes it affordable to have several machines and a five user license for the OS and tools. My family loves the power and usability of the Mac.

Recently my linux server at home began acting a bit flaky. I did some analysis and determined that hardware replacement was needed. After checking prices for CPU/motherboard/RAM (and potentially hard disk) I figured out that I'd need a few hundred bucks to replace the CentOS box with a new one. After thinking about whether to drop a few hundred bucks or not on this server, it occurred to me that I might be able to move all of the services hosted on linux to OS X.

I found that samba,
  hotwayd,
  dansguardian,
  uw-imapd,
  fetchmail,
  procmail,
  spamassassin,
    rsync,
  rsnapshot,
  apache2,
  MySQL4,
  PHP,
  perl,
  java, and
  squid were all available for OS X.

Most of these are "in the box" with OS X. The only ones that I need to compile from source are uw-imapd and squid! Of course I need the bundled developer tools to get a compiler, and the Apple/BSD startup mechanism and the netinfo wierdness require some tweaks - but since when did Linux *not* require any tweaking?

What this means to me is that after more than a decade of running Linux at home (and work) I am *this* close to shutting down Linux for good at home.

Hope your experience is similar.

Regards,
Anomaly

PS - I share your recent comments about the loss of a pet. :(