On Wed, 23 Sep 2009 10:17:31 -0400, Matthew Morgan <atcs.matthew@xxxxxxxxx> wrote: > Amos Jeffries wrote: >> On Tue, 22 Sep 2009 11:58:16 -0400, Matthew Morgan >> <atcs.matthew@xxxxxxxxx> >> wrote: >> >>> Leonardo Carneiro wrote: >>> >>>> you could bind squid to only listen the LAN interface. doind this, no >>>> one will be able to estabilish a external connection with squid. >>>> >>> I'll try that, but I thought my firewall rules were taking care of >>> that. They may not be though...I'm just recently learning iptables. >>> I'll post back with the results. >>> >>> Thanks! >>> >>> >> >> IIRC llnw.net are one of the providers for a lot of video content. If >> your >> Squid is configured to download a complete file on range requests and one >> of your users started downloading a video then stopped Squid would show >> this behavior. >> > Ah! This may be it. My squid IS set to download an entire file on > range request so that windows updates will cache properly. We're > actually a computer shop, so there is no telling what type of downloads > the virus infested customer machines may initiate and drop as we work on > them. > > Thanks for the tip! > > As for Leonardo Carneiro's advice about only binding to the local port: > it may just be my imagination, but it seems like that has cut down on > the length of time these strange connections last. As I said, I'm not > really a networking expert, so I don't even know if that makes sense. > Either way, it was a security measure I should have taken in the first > place. Ah, since you have untrusted machines internally. I'd suggest locking down the access even further. So that only known machines have random access out. The ones being fixed allowed out to a whitelist of sites (AV vendors and WU sources) so the auto-updates can work easily with less worry about viral requests. The squid logs can be grep'd during/after to see what it attempted, or the sqstat web script to show current connections for live tracking. That to give a fair idea if there was any viral activity or if the whitelist need to be updated. Amos >> Though yeah, a firewall spot-check is also good when strange things >> happen. >> >> Amos >> >> >>>> Matthew Morgan escreveu: >>>> >>>>> I have squid set up as a transparent proxy. It has two interfaces: >>>>> eth0 (internet facing wan) and eth1 (local). I'm using iptables to >>>>> masquerade the packets from my local network on eth1 and redirect >>>>> them to squid's port. All this seems to work fine. >>>>> >>>>> The thing is, I keep seeing long periods of high incoming traffic on >>>>> eth0, but low outgoing traffic on eth0, and nearly no traffic on >>>>> eth1. Every time I see this, the data is always coming from either >>>>> llnw.net or msecn.net. Both of these are legitimate content delivery >>>>> networks. When I inspect the traffic I'm getting with >>>>> tcpdump/wireshark, none of the traffic from these domain is going >>>>> through to eth1 at all. I can confirm that this traffic is going to >>>>> squid, since a netstat -p shows squid as the program with the >>>>> connection open. >>>>> >>>>> What could be causing this? I tried turning off persistent >>>>> connections in case a client was making the connection and then >>>>> ignoring the data, but I'm not sure if that's possible or the >>>>> problem. I'm not a network expert. >>>>> >>>>> >> >>
