Re: [squid-users] limiting connections

Carlos Manuel Trepeu Pupo wrote:
> On Thu, Apr 5, 2012 at 10:32 AM, H <hm_at_hm.net.br> wrote:
>> Carlos Manuel Trepeu Pupo wrote:
>>>>> what is your purpose? solve bandwidth problems? Connection rate?
>>>>> Congestion? I believe that limiting to *one* download is not your real
>>>>> intention, because the browser could still open hundreds of regular
>>>>> pages and your download limit is nuked and was for nothing ...
>>>>>
>>>>> what is your operating system?
>>>>>
>>> I pretend solve bandwidth problems. For the persons who uses download
>>> manager or accelerators, just limit them to 1 connection. Otherwise I
>>> tried to solve with delay_pool, the packet that I delivery to the
>>> client was just like I configured, but with accelerators the upload
>>> saturate the channel.
>>>
>>
>>
>> since you did not say what OS youŕe running I can give you only some
>> direction, any or most Unix firewall can solve this easy, if you use
>> Linux you may like pf with FBSD you should go with ipfw, the latter
>> probably is easier to understand but for both you will find zillions of
>> examples on the net, look for short setups
>
> Sorry, I forgot !! Squid is in Debian 6.0 32 bits. My firewall is
> Kerio but in Windows, and i'm not so glad to use it !!!
>
>>
>> first you "divide" your bandwidth between your users
>
> First I search about the dynamic bandwidth with Squid, but squid do
> not do this, and them after many search I just find ISA Server with a
> third-party plugin, but I prefer linux.
>
>>
>> if you use TPROXy you can devide/limit the bandwidth on the outside
>> interface in order to limit only access to the link but if squid has the
>> object in cache it might go out as fast as it can
>>
>> you still can manage the bandwidth pool with delay parameters if you wish
>
> I tried with delay_pool, but the delay_pool just manage the download
> average, and not the upload, I need the both. The last time I tried
> with delay_pool the "download accelerator" download at the speed that
> I specify, but the proxy consume all channel with the download,
> something that I never understand.
>
>>
>>
>> I guess you meant downlaod accelerator, not manager, you can then limit
>> the connection rate within the bandwidth for each user and each
>> protocol, for DL-accelerator you should pay attention to udp packages as
>> well, you did not say how much user and bandwdith you have but limit the
>> tcp connection to 25 and udp to 40 to begin with, then test it until
>> coming to something what suites your wish
>
> I have 128 kbps, and I have no idea about the UDP packages !!! That's
> new for me !! Any documentation that I can read ???
>

any of this we talk about has nothing to do with squid

bw control, connection limiting etc you should handle with the firewall

let squid do what it does well, cache and proxy

you could consider a different setup, a Unix box with firewall on your
internet connection and as your gateway, squid as TPROXY or transparent
proxy if you need NAT, all on the same box

if you use Linux you should look for pf firewall, if you use FreeBSD you
should use ipfw firewall and read the specific documentations, if this
all is new for you, you might find it easier to use FreeBSD since all
setups are straight forward, linux and also pf is a little bit more
complicated
as example, setting nat on IPFW can be down with three lines of code, I
believe pf needs at least 6 to work

but before you dig deeper you might think about a new design of your
concept of Internet access

>>
>> you still could check which DLaccel your people are using and then limit
>> or block only this P2P ports which used to be very effective
>
> Even if I do not permit "CONNECT" the users can use P2P ports ??
>

I do not understand this question, is this squids connect keyword? If,
nothing to do ...

all I was talking about is on firewall layer, before squid

DL-accel use to fire lots of UDP packets to find a peer, this packages
can saturate small links easily if you do not limit them

you limit the max udp connections as also the max tcp connections, what
helps you getting even with small bandwidth "reasonable" speed as far as
128kbit/s can be reasonable

you can run a simple squid setup
and you run a simple firewall setup

both on one machine

> Thanks for this, I can get clear many question about squid that I have !!!
>

you are welcome

-- 
H
+55 11 4249.2222