Thank you, Amos. >From access.log, these client IPs with state of Established seem to have some hits from cached contents. I have also noticed that squid.ip.randomport. but majority of established tcp connections is using 3128. Any further idea on this issue is highly appreciated. On Tue, Feb 3, 2009 at 8:39 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: > Bostonian wrote: >> >> with netstat -n |grep SYN_RECV command, it shows that a few foreign hosts >> >> tcp 0 xx.xx.xx.xxx.3128 yy.yy.yy.yyy.1433 SYN_RECV >> .... >> >> With netstat -n|grep ESTABLISHED command, it show that a few foreign host >> >> tcp 0 xx.xx.xx.xxx.3128 zz.zz.zzz.zz1430 SYN_RECV >> .... >> >> Is this normal? > > Maybe, maybe not. > > Check your access.log to see what is happening to those connections. They > may be attack attempts that are denied safely by squid. > > Amos > >> >> >> On Mon, Feb 2, 2009 at 6:50 PM, Bostonian <ygwen77@xxxxxxxxx> wrote: >>> >>> I am a newbie here. Does "doing interception on inbound connections" >>> mean that my squid box intercepts the client's request and returns the >>> traffic from port 3128? Is this the normal way through which squid >>> returns the request to its clients? >>> Thank you. >>> >>> On Mon, Feb 2, 2009 at 6:35 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx> >>> wrote: >>>>> >>>>> Dear All: >>>>> >>>>> I am running a squid 3.0 on a centos box and set it as >>>>> >>>>> http_port 3128 transparent >>>>> >>>>> It has been working well for a while. Then I noticed a traffic spike. >>>>> tcpdump shows >>>>> that there are a lot of traffic from port 3128 to other clients. I >>>>> have disabled incoming >>>>> traffic to 3128 from outside. >>>>> >>>>> What could be the reason? Someone hacked my cache? >>>>> >>>>> Best Regards, >>>>> Young Wen >>>>> >>>> Perhapse you are doing interception on inbound connections somehow? >>>> NAT will break past the firewall in that case. >>>> >>>> Amos >>>> >>>> >>>> > > > -- > Please be using > Current Stable Squid 2.7.STABLE5 or 3.0.STABLE12 > Current Beta Squid 3.1.0.4 >
