On 15/04/2011 07:05, Amos Jeffries wrote:
On 15/04/11 02:05, squid@xxxxxxxxxxxxxxxxxxxxxxx wrote:
Good day,
Thanks all for concern. The network topology is as follow:
Workstations are installed with Windows 7 Pro with spyware terminator
with
integrated ClamAV all link to a Cisco 2950 switch and a multihome server
with Windows 7 Ultimate with ESET AV and Squid has one NIC connected to
the Cisco switch for LAN connection and the other to internet through
broadband device. Windows 7 on the server is used to share the internet
connection and the workstation browsers are configure to use server
IP and
port 3128.
Thanks for your assistance,
regards,
Yomi
Thanks. A couple of things are in effect here and come to mind as
possible reasons for the warnings.
Firstly is the low (2048) FD limit on Windows. We have not been able
to avoid that. ESET may simply be detecting the client traffic
reaching or passing that limit. If so its not so much a security issue
as a resource overload issue.
The traffic bottenecks behind Squid so client get a crap experience
but the Internet is saved from anything they try.
The other idea depends on whether you have ClamAV integrated to scan
the Squid traffic?
ClamAV with Squid-2 has to use a redirector. This forces up to
*three* requests processed by Squid to fetch any new object. The first
one from the client to kicks off a ClamAV scan (getting a 3xx back
from ClamAV redirector). Then the ClamAV fetch to get content for
scanning. Then the followup client request to get the scanned content
from ClamAV.
DNS I'm not so sure of. Squid should not be making a huge amount of
DNS requests. It could be your clients making a great many requests of
Squid. If ESET provides which client IPs are the suspect ones look
through the Squid access.log and cache.log to see what those are doing.
Your configuration can affect DNS load in bad ways though. For
example using the dst ACL raises DNS load by an extra lookup per ACL
test in 2.7.
Amos
Well it seems to me kind of normal in this situation.
if you do have some spare parts i would run the squid as a dedicated
machine and wiht a cache dns server on it.
Eliezer
