On 15/04/11 02:05, squid@xxxxxxxxxxxxxxxxxxxxxxx wrote:
Good day, Thanks all for concern. The network topology is as follow: Workstations are installed with Windows 7 Pro with spyware terminator with integrated ClamAV all link to a Cisco 2950 switch and a multihome server with Windows 7 Ultimate with ESET AV and Squid has one NIC connected to the Cisco switch for LAN connection and the other to internet through broadband device. Windows 7 on the server is used to share the internet connection and the workstation browsers are configure to use server IP and port 3128. Thanks for your assistance, regards, Yomi
Thanks. A couple of things are in effect here and come to mind as possible reasons for the warnings.
Firstly is the low (2048) FD limit on Windows. We have not been able to avoid that. ESET may simply be detecting the client traffic reaching or passing that limit. If so its not so much a security issue as a resource overload issue. The traffic bottenecks behind Squid so client get a crap experience but the Internet is saved from anything they try.
The other idea depends on whether you have ClamAV integrated to scan the Squid traffic? ClamAV with Squid-2 has to use a redirector. This forces up to *three* requests processed by Squid to fetch any new object. The first one from the client to kicks off a ClamAV scan (getting a 3xx back from ClamAV redirector). Then the ClamAV fetch to get content for scanning. Then the followup client request to get the scanned content from ClamAV.
DNS I'm not so sure of. Squid should not be making a huge amount of DNS requests. It could be your clients making a great many requests of Squid. If ESET provides which client IPs are the suspect ones look through the Squid access.log and cache.log to see what those are doing. Your configuration can affect DNS load in bad ways though. For example using the dst ACL raises DNS load by an extra lookup per ACL test in 2.7.
Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.12 Beta testers wanted for 3.2.0.6