you can also use rotatelogs (it is provided with many distribs... you
just have to add specific configuration) if squid can accept its logfile
to be moved or use a wrapper like apache logrotate... for all of these
you can specify date-based or filesize-based criteria to trigger the
switch towards a new empty file.
grtx
Hudson Delbert J Contr 61 CS/SCBN wrote:
create a link from the squid logfile that points to
/dev/null and tee the output to a file on host somewhere
else on your network. not sure if the data will make it
but it worth a try to avoid the 5gb barrier so the proxy
doesnt die. use what cmdlind unix hax you know redirect
the squid output.
-----Original Message-----
From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx
[mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx]On Behalf Of Leonardo
Rodrigues Magalhães
Sent: Wednesday, January 12, 2005 8:52 AM
To: Jason Opperisano; netfilter@xxxxxxxxxxxxxxxxxxx
Subject: Re: ipt_string and Kernel 2.6 !!URGENT!!
any proxy worth a "crap" can do more than the string match, so i fail
to see your point. maybe your proxy is "crap." maybe the skill set of
your proxy administrator is "crap."
I agree completly with you. But I still use string in some rare
situations. Here's one example.
A network with +500 machines and squid with authentication enabled, so
users must authenticate for browsing the web. Transparent proxy is also
enabled. I know transparent+authentication doesnt work. But I use to permit
antivirus/windowsupdate updates WITHOUT authentication, so machines can stay
updated with no problems. http NAT is DISABLED, http can only be accessed
throw squid. This setup can be used for any kind of http filtering, ok ??
Yes, it's OK. It works VERY fine.
But in a +500 machines network, you'll surely have some
virus/spyware/adware running in some machines. And some virus/spyware/adware
use to make some http requests for getting data. These softwares usually
gets Internet Explorer proxy configuration, but they dont know how to
authenticate, as well they dont use to deal with DENIED/407 (you need to
authenticate yourself) squid return codes. Some of these softwares make http
requests and in case of getting ANYTHING different than the answer expected,
the request is done again, with absolutely no delay. I've seen, for example,
some virus making +90 requests/second in this environment.
Well, OK, squid is blocking them. But squid has a 2Gb log file
limitation which, in some cases I experienced, was enough for only 5 hours
of network traffic loaded with some of these virus/adware/spywares. After
2Gb of logs, squid dies and there it goes http browsing.
In this kind of situation, during some virus/adware/spyware outbreak, i
use to use the string module for blocking some requests even BEFORE they
reach to squid. So I avoid squid dying because of log getting full.
I know this is a 'complex' environment as well as a complex example. But
it's, at least i think, a valid example of where the string module is VERY
useful. As recommended, i do NOT use string module in normal situations, but
in some outbreak situations, sometimes i get some string rules running for
fast-blocking it and having time for studying and fixing the problem.
I also would like to see string module in kernel 2.6 ...... basically
it's the only netfilter patch that I use that have not being migrated to 2.6
yet ...
Sincerily,
Leonardo Rodrigues
