Re: weird traffic

[Matthew Morgan <atcs.matthew@xxxxxxxxx>]

Leonardo Carneiro wrote:
> you could bind squid to only listen the LAN interface. doind this, no 
> one will be able to estabilish a external connection with squid.
I'll try that, but I thought my firewall rules were taking care of 
that.  They may not be though...I'm just recently learning iptables.  
I'll post back with the results.

Thanks!


> Matthew Morgan escreveu:
> > I have squid set up as a transparent proxy.  It has two interfaces: 
> > eth0 (internet facing wan) and eth1 (local).  I'm using iptables to 
> > masquerade the packets from my local network on eth1 and redirect 
> > them to squid's port.  All this seems to work fine.
> >
> > The thing is, I keep seeing long periods of high incoming traffic on 
> > eth0, but low outgoing traffic on eth0, and nearly no traffic on 
> > eth1.  Every time I see this, the data is always coming from either 
> > llnw.net or msecn.net.  Both of these are legitimate content delivery 
> > networks.  When I inspect the traffic I'm getting with 
> > tcpdump/wireshark, none of the traffic from these domain is going 
> > through to eth1 at all.  I can confirm that this traffic is going to 
> > squid, since a netstat -p shows squid as the program with the 
> > connection open.
> >
> > What could be causing this?  I tried turning off persistent 
> > connections in case a client was making the connection and then 
> > ignoring the data, but I'm not sure if that's possible or the 
> > problem.  I'm not a network expert.