Re: filedescriptor leak on 1.2b20

From: Oskar Pearson <>
Date: Fri, 22 May 1998 09:06:08 +0200


> > I saw the same thing some time ago. I can't remember the exact details
> > but it's something to do with have transparent proxy on (i.e. so squid
> > acceleration is on), and have a url that is the squid access
> > port. (i.e. http://squid.ip.address:80/blah). Squid promptly connects
> > to itself, issues the same URL, connects to itself, issues the same
> > URL .... etc etc.
> If this is the case, then it can easily be seen in the access log. There
> should be a number of accesses from the squid server.

Not necessarily - the connections never actually complete, so they are never
logged... since squid only logs the connections at the end of the
transfer :)

> Recommended setup:
> Squid running on port 3128
> ipfwadm ruleset:
> # Don't redirect our own traffic
> ipfwadm -I -a accept -W lo
> ipfwadm -I -a accept -S
> ipfwadm -I -a accept -D
> [repeated for every IP address the system has]
> # Redirect port 80 to Squid
> ipfwadm -I -a accept -P tcp -D 80 -r 3128

on my test system I have:
ipfwadm -I -a accept -W lo
ipfwadm -I -a rej -P tcp -D 80
ipfwadm -I -a accept -P tcp -D 0/0 80 -r 8080
ipfwadm -I -a accept -P tcp -D 0/0 8080 -r 8080
ipfwadm -F -p accept

Now that doesn't help if someone actually sets their netscape to use
you as a 'normal proxy'...

So I added acls that deny IF the destination address is the
ip of the local machine, 127 etc etc etc.


"Haven't slept at all. I don't see why people insist on sleeping. You feel
so much better if you don't. And how can anyone want to lose a minute -
a single minute of being alive?"				-- Think Twice
Received on Fri May 22 1998 - 00:13:12 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:40:19 MST