2011/7/11 Amos Jeffries <squid3@xxxxxxxxxxxxx> > > On 09/07/11 01:40, Carlos Manuel Trepeu Pupo wrote: >> >> 2011/7/8 Amos Jeffries<squid3@xxxxxxxxxxxxx>: >>> >>> On 08/07/11 02:36, Carlos Manuel Trepeu Pupo wrote: >>>> >>>> Hi! I'm using squid 3.0 STABLE1. Here are my delay_pool in the squid.conf >>>> >>>> acl enterprise src 10.10.10.2/32 >>>> acl bad_guys src 10.10.10.52/32 >>>> acl dsl_bandwidth src 10.10.48.48/32 >>>> >>>> delay_pools 3 >>>> >>>> delay_class 1 1 >>>> delay_parameters 1 25600/25600 >>>> delay_access 1 allow bad_guys >>>> delay_access 1 deny all >>>> >>>> delay_class 2 1 >>>> delay_parameters 2 65536/65536 >>>> delay_access 2 allow enterprise >>>> delay_access 2 deny all >>>> >>>> delay_class 3 1 >>>> delay_parameters 3 10240/10240 >>>> delay_access 3 allow dsl_bandwidth >>>> delay_access 3 deny all >>>> >>>> >>>> I think everything was right, but since yesterday I see "bad_guys" >>>> downloading from youtube using all my bandwidth !! I have a channel of >>>> 128 Kb in technology ATM. So I hope you can help me !!!!!!! >>> >>> step 1) please verify that a recent release still has this problem. >>> 3.0.STABLE1 was obsoleted years ago. >>> >>> step 2) check for things like follow_x_forwarded_for allowing them to fake >>> their source address. 3.0 series did not check this properly and allows >>> people to trivially bypass any IP-based security if you trust that header. >>> >>> Amos >>> >> I >> >> If I deny "bad_guys" they can't surf. The user it's a client who have >> a Kerio Firewall-Proxy with 10 users. I make the test to visit them >> and stop his service, then the bandwidth go down, so I check they are >> who violate the delay_pool. Now, the question is why this happen? > > I just gave you several possible answers to that. > > Considering that you only listed 10.10.10.52 and Kerio pass on X-Forwarded-For headers, the comment I made about follow_x_forwarded_for becomes a very important thing to know. Trusting XFF from their Kerio means firstly that "src 10.10.10.52" does not match and secondly that your delay pools, if it did match, gives each of their 10 internal machines a different pool. Sorry, but I don't understand how can I gives each of their 10 internal machines a different pool. I read the documentation about follow_x_forwarded_for. I will appreciate if you explain me better. Thanks > >> (Every time this happen I check the destination domain it's youtube >> and they are downloading from there.) > > Another possibility is that it is in fact an "upload" that you can see. delay_pools in 3.0 only work on bytes fetched _from_ the server. Outgoing bytes are not limited. > > Amos > -- > Please be using > Current Stable Squid 2.7.STABLE9 or 3.1.14 > Beta testers wanted for 3.2.0.9