2011/7/11 Amos Jeffries <[email protected]> > > On 09/07/11 01:40, Carlos Manuel Trepeu Pupo wrote: >> >> 2011/7/8 Amos Jeffries<[email protected]>: >>> >>> On 08/07/11 02:36, Carlos Manuel Trepeu Pupo wrote: >>>> >>>> Hi! I'm using squid 3.0 STABLE1. Here are my delay_pool in the squid.conf >>>> >>>> acl enterprise src 10.10.10.2/32 >>>> acl bad_guys src 10.10.10.52/32 >>>> acl dsl_bandwidth src 10.10.48.48/32 >>>> >>>> delay_pools 3 >>>> >>>> delay_class 1 1 >>>> delay_parameters 1 25600/25600 >>>> delay_access 1 allow bad_guys >>>> delay_access 1 deny all >>>> >>>> delay_class 2 1 >>>> delay_parameters 2 65536/65536 >>>> delay_access 2 allow enterprise >>>> delay_access 2 deny all >>>> >>>> delay_class 3 1 >>>> delay_parameters 3 10240/10240 >>>> delay_access 3 allow dsl_bandwidth >>>> delay_access 3 deny all >>>> >>>> >>>> I think everything was right, but since yesterday I see "bad_guys" >>>> downloading from youtube using all my bandwidth !! I have a channel of >>>> 128 Kb in technology ATM. So I hope you can help me !!!!!!! >>> >>> step 1) please verify that a recent release still has this problem. >>> 3.0.STABLE1 was obsoleted years ago. >>> >>> step 2) check for things like follow_x_forwarded_for allowing them to fake >>> their source address. 3.0 series did not check this properly and allows >>> people to trivially bypass any IP-based security if you trust that header. >>> >>> Amos >>> >> I >> >> If I deny "bad_guys" they can't surf. The user it's a client who have >> a Kerio Firewall-Proxy with 10 users. I make the test to visit them >> and stop his service, then the bandwidth go down, so I check they are >> who violate the delay_pool. Now, the question is why this happen? > > I just gave you several possible answers to that. > > Considering that you only listed 10.10.10.52 and Kerio pass on > X-Forwarded-For headers, the comment I made about follow_x_forwarded_for > becomes a very important thing to know. Trusting XFF from their Kerio means > firstly that "src 10.10.10.52" does not match and secondly that your delay > pools, if it did match, gives each of their 10 internal machines a different > pool.
Sorry, but I don't understand how can I gives each of their 10 internal machines a different pool. I read the documentation about follow_x_forwarded_for. I will appreciate if you explain me better. Thanks > >> (Every time this happen I check the destination domain it's youtube >> and they are downloading from there.) > > Another possibility is that it is in fact an "upload" that you can see. > delay_pools in 3.0 only work on bytes fetched _from_ the server. Outgoing > bytes are not limited. > > Amos > -- > Please be using > Current Stable Squid 2.7.STABLE9 or 3.1.14 > Beta testers wanted for 3.2.0.9
