On Fri, Mar 01, 2002 at 02:12:07PM -0800, Don Cohen wrote: > I'd argue that this request is coming from the local machine and > should be classified as such. I gather it's not forwarding the > original packets. You're correct that it is not sending the original packets, but if 300 users from 5 departments with bandwidth sharing limits are browsing the web with one copy of Squid between them and the 'net, its very nice if Squid's web usage gets taken into account when it has to fetch sites. > What I don't understand: is the user sending packets to the site with > the original web page or to the squib server? If the original site, > then how is the squib server getting them? That depends on your configuration; Squid can be set up as a transparent proxy so that all requests made to given ports (80, 443, etc.) are forced through Squid instead so that the user doesn't have the choice. > The point is that I want to maintain legitimate communication with > these servers when someone is trying to attack them. If all you want is to have legitimate use, set up a class for interactive traffic, reserve it some amount of bandwidth, cap it at another amount (to keep a user from using SSH to eat all your bandwidth) and add SFQ to it to make sure no one connection gets all the bits. My new Internet gateway box is actually set up without any login or port services except forwarding and firewalls -- there are no listening ports at all and no way for me to log into it except over serial port or at the terminal. The serial port is connected to an external modem; logging in is therefore "out of band". Any form of non serial login is assumed to be an intrusion, but that's off-topic ;-). -- Michael T. Babcock CTO, FibreSpeed Ltd. (Hosting, Security, Consultation, Database, etc) http://www.fibrespeed.net/~mbabcock/
