Re: filedescriptor leak on 1.2b20

Hi

> > I saw the same thing some time ago. I can't remember the exact details
> > but it's something to do with have transparent proxy on (i.e. so squid
> > acceleration is on), and have a url that is the squid access
> > port. (i.e. http://squid.ip.address:80/blah). Squid promptly connects
> > to itself, issues the same URL, connects to itself, issues the same
> > URL .... etc etc.
>
> If this is the case, then it can easily be seen in the access log. There
> should be a number of accesses from the squid server.

Not necessarily - the connections never actually complete, so they are never
logged... since squid only logs the connections at the end of the
transfer :)

> Recommended setup:
> Squid running on port 3128
> ipfwadm ruleset:
> # Don't redirect our own traffic
> ipfwadm -I -a accept -W lo
> ipfwadm -I -a accept -S 203.155.32.12
> ipfwadm -I -a accept -D 203.155.32.12
> [repeated for every IP address the system has]
> # Redirect port 80 to Squid
> ipfwadm -I -a accept -P tcp -D 0.0.0.0/0 80 -r 3128

on my test system I have:
ipfwadm -I -a accept -W lo
ipfwadm -I -a rej -P tcp -D 196.26.99.254 80
ipfwadm -I -a accept -P tcp -D 0/0 80 -r 8080
ipfwadm -I -a accept -P tcp -D 0/0 8080 -r 8080
ipfwadm -F -p accept

Now that doesn't help if someone actually sets their netscape to use
you as a 'normal proxy'...

So I added acls that deny IF the destination address is the
ip of the local machine, 127 etc etc etc.

Oskar

---
"Haven't slept at all. I don't see why people insist on sleeping. You feel
so much better if you don't. And how can anyone want to lose a minute -
a single minute of being alive?"				-- Think Twice