Dear all, We're considering running squid for thousands of users. Squid will use a single parent proxy IP address. A lot of connections will go from the Child squid to the Parent proxy. Often, the Parent proxy initiates closing the TCP connecting by sending the first FIN. This results the connection going to TIME_WAIT at the Parent proxy, but not at the Child squid proxy, as per RFC. This means, from the perspective of the Child squid proxy, it's perfectly legal to re-use the same sourceport immediately. Or, at least, before the TIME_WAIT of the Parent Proxy (and the Firewalls in between) expires. This will result in timeouts / slowness. Not very often, since we can configure an ephemeral port range 1025-65535 = 64511 available ports, but it does happen occasionaly considering the large amount of connections we have from the Child squid proxy to the Parent proxy. This is not a theoretical exercise, we have seen this in the past. Currently, using other proxy servers, we overcome this issue by disabling TCP Ephemeral Port Randomization. This mitigates this issue entirely, since not all 64511 ports are used within the TIME_WAIT timeout. Security impact is low since it's local traffic. I think squid relies on the OS to select the ephemeral source port, and in linux I can see no way to disable this. Is it possible to disable ephemeral port randomization within squid ? If it is impossible, can this be considered as a new feature ? Thanks! _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
