Amos Jeffries wrote:
> On Tue, 22 Sep 2009 11:58:16 -0400, Matthew Morgan <atcs.matthew_at_gmail.com>
> wrote:
>
>> Leonardo Carneiro wrote:
>>
>>> you could bind squid to only listen the LAN interface. doind this, no
>>> one will be able to estabilish a external connection with squid.
>>>
>> I'll try that, but I thought my firewall rules were taking care of
>> that. They may not be though...I'm just recently learning iptables.
>> I'll post back with the results.
>>
>> Thanks!
>>
>>
>
> IIRC llnw.net are one of the providers for a lot of video content. If your
> Squid is configured to download a complete file on range requests and one
> of your users started downloading a video then stopped Squid would show
> this behavior.
>
Ah! This may be it. My squid IS set to download an entire file on
range request so that windows updates will cache properly. We're
actually a computer shop, so there is no telling what type of downloads
the virus infested customer machines may initiate and drop as we work on
them.
Thanks for the tip!
As for Leonardo Carneiro's advice about only binding to the local port:
it may just be my imagination, but it seems like that has cut down on
the length of time these strange connections last. As I said, I'm not
really a networking expert, so I don't even know if that makes sense.
Either way, it was a security measure I should have taken in the first
place.
> Though yeah, a firewall spot-check is also good when strange things happen.
>
> Amos
>
>
>>> Matthew Morgan escreveu:
>>>
>>>> I have squid set up as a transparent proxy. It has two interfaces:
>>>> eth0 (internet facing wan) and eth1 (local). I'm using iptables to
>>>> masquerade the packets from my local network on eth1 and redirect
>>>> them to squid's port. All this seems to work fine.
>>>>
>>>> The thing is, I keep seeing long periods of high incoming traffic on
>>>> eth0, but low outgoing traffic on eth0, and nearly no traffic on
>>>> eth1. Every time I see this, the data is always coming from either
>>>> llnw.net or msecn.net. Both of these are legitimate content delivery
>>>> networks. When I inspect the traffic I'm getting with
>>>> tcpdump/wireshark, none of the traffic from these domain is going
>>>> through to eth1 at all. I can confirm that this traffic is going to
>>>> squid, since a netstat -p shows squid as the program with the
>>>> connection open.
>>>>
>>>> What could be causing this? I tried turning off persistent
>>>> connections in case a client was making the connection and then
>>>> ignoring the data, but I'm not sure if that's possible or the
>>>> problem. I'm not a network expert.
>>>>
>>>>
>
>
Received on Wed Sep 23 2009 - 14:17:43 MDT
This archive was generated by hypermail 2.2.0 : Thu Sep 24 2009 - 12:00:05 MDT