Re: [squid-users] about delay_pools

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 08 Jul 2011 16:38:45 +1200

On 08/07/11 02:36, Carlos Manuel Trepeu Pupo wrote:
> Hi! I'm using squid 3.0 STABLE1. Here are my delay_pool in the squid.conf
>
> acl enterprise src 10.10.10.2/32
> acl bad_guys src 10.10.10.52/32
> acl dsl_bandwidth src 10.10.48.48/32
>
> delay_pools 3
>
> delay_class 1 1
> delay_parameters 1 25600/25600
> delay_access 1 allow bad_guys
> delay_access 1 deny all
>
> delay_class 2 1
> delay_parameters 2 65536/65536
> delay_access 2 allow enterprise
> delay_access 2 deny all
>
> delay_class 3 1
> delay_parameters 3 10240/10240
> delay_access 3 allow dsl_bandwidth
> delay_access 3 deny all
>
>
> I think everything was right, but since yesterday I see "bad_guys"
> downloading from youtube using all my bandwidth !! I have a channel of
> 128 Kb in technology ATM. So I hope you can help me !!!!!!!

step 1) please verify that a recent release still has this problem.
3.0.STABLE1 was obsoleted years ago.

step 2) check for things like follow_x_forwarded_for allowing them to
fake their source address. 3.0 series did not check this properly and
allows people to trivially bypass any IP-based security if you trust
that header.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.14
   Beta testers wanted for 3.2.0.9
Received on Fri Jul 08 2011 - 04:39:27 MDT

This archive was generated by hypermail 2.2.0 : Fri Jul 08 2011 - 12:00:02 MDT