Re: [squid-users] about delay_pools from Amos Jeffries on 2011-07-11 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Mon, 11 Jul 2011 18:35:16 +1200

On 09/07/11 01:40, Carlos Manuel Trepeu Pupo wrote:
> 2011/7/8 Amos Jeffries<squid3_at_treenet.co.nz>:
>> On 08/07/11 02:36, Carlos Manuel Trepeu Pupo wrote:
>>>
>>> Hi! I'm using squid 3.0 STABLE1. Here are my delay_pool in the squid.conf
>>>
>>> acl enterprise src 10.10.10.2/32
>>> acl bad_guys src 10.10.10.52/32
>>> acl dsl_bandwidth src 10.10.48.48/32
>>>
>>> delay_pools 3
>>>
>>> delay_class 1 1
>>> delay_parameters 1 25600/25600
>>> delay_access 1 allow bad_guys
>>> delay_access 1 deny all
>>>
>>> delay_class 2 1
>>> delay_parameters 2 65536/65536
>>> delay_access 2 allow enterprise
>>> delay_access 2 deny all
>>>
>>> delay_class 3 1
>>> delay_parameters 3 10240/10240
>>> delay_access 3 allow dsl_bandwidth
>>> delay_access 3 deny all
>>>
>>>
>>> I think everything was right, but since yesterday I see "bad_guys"
>>> downloading from youtube using all my bandwidth !! I have a channel of
>>> 128 Kb in technology ATM. So I hope you can help me !!!!!!!
>>
>> step 1) please verify that a recent release still has this problem.
>> 3.0.STABLE1 was obsoleted years ago.
>>
>> step 2) check for things like follow_x_forwarded_for allowing them to fake
>> their source address. 3.0 series did not check this properly and allows
>> people to trivially bypass any IP-based security if you trust that header.
>>
>> Amos
>>
> I
>
> If I deny "bad_guys" they can't surf. The user it's a client who have
> a Kerio Firewall-Proxy with 10 users. I make the test to visit them
> and stop his service, then the bandwidth go down, so I check they are
> who violate the delay_pool. Now, the question is why this happen?

I just gave you several possible answers to that.

Considering that you only listed 10.10.10.52 and Kerio pass on
X-Forwarded-For headers, the comment I made about follow_x_forwarded_for
becomes a very important thing to know. Trusting XFF from their Kerio
means firstly that "src 10.10.10.52" does not match and secondly that
your delay pools, if it did match, gives each of their 10 internal
machines a different pool.

> (Every time this happen I check the destination domain it's youtube
> and they are downloading from there.)

Another possibility is that it is in fact an "upload" that you can see.
delay_pools in 3.0 only work on bytes fetched _from_ the server.
Outgoing bytes are not limited.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.14
   Beta testers wanted for 3.2.0.9

Received on Mon Jul 11 2011 - 06:35:22 MDT

This archive was generated by hypermail 2.2.0 : Mon Jul 11 2011 - 12:00:02 MDT