LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Security Week: September 2nd, 2014
Linux Advisory Watch: August 29th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Frequently Asked Questions

5. Frequently Asked Questions

5.1. Is it possible to limit bandwidth on a per-user basis with delay pools?

Yes. Look inside the original squid.conf file and check the Squid documentation on http://www.squid-cache.org

5.2. How do I make wget work with Squid?

It's simple. Create a file called .wgetrc and put it in your home directory. Insert the following lines in it and that's it!

HTTP_PROXY=192.168.1.1:8080
FTP_PROXY=192.168.1.1:8080

You can make it work globally for all users, type man wget to learn how.

5.3. I set up my own SOCKS server listening on port 1080, and now I'm not able to connect to any irc server.

There can be two issues here.

One is when your SOCKS proxy is open relay, that means everyone can use it from any place in the world. It is a security issue and you should check your SOCKS proxy configuration again - generally irc servers don't allow open relay SOCKS servers to connect to them.

If you are sure your SOCKS server isn't open relay, you may be still disallowed to connect to some of the irc servers - it's because mostly they just check if SOCKS server is running on port 1080 of a client that is connecting. In that case just reconfigure your SOCKS to work on a different port. You will also have to reconfigure your LAN software to use a proper SOCKS server and port.

5.4. I don't like when Kazaa or Audiogalaxy is filling up all my upload bandwidth.

Indeed that can be painful, but it's simple to be solved.

Create a file called for example /etc/sysconfig/cbq/cbq-15.ppp.

Insert the following lines into it, and Kazaa or Audiogalaxy will upload not faster than about 15 kbits/s. I assume that your outgoing internet interface is ppp0.

DEVICE=ppp0,115Kbit,11Kbit
RATE=15Kbit
WEIGHT=2Kbit
PRIO=5
TIME=01:00-07:59;110Kbit/11Kbit
RULE=,:21
RULE=,213.25.25.101
RULE=,:1214
RULE=,:41000
RULE=,:41001
#And so on till :41030
RULE=,:41030

5.5. My outgoing mail server is eating up all my bandwidth.

You can limit your SMTP, Postfix, Sendmail, or whatever, in a way similar to the question above. Just change or add one rule:

RULE=,:25

Moreover, if you have an SMTP server, you can force your local LAN users to use it, even though they have set up their own SMTP servers to smtp.some.server! We'll do it in a transparent way we did before with Squid.

5.6. Can I limit my own FTP or WWW server in a manner similar it is shown in the question above?

Generally you can, but usually these servers have got their own bandwidth limiting configurations, so you will probably want to look into their documentation.

2.2.x Kernels

/sbin/ipchains -A input -s 192.168.1.1/24 -d ! 192.168.1.1 25 -p TCP -j REDIRECT 25

2.4.x Kernels

/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 25 -j REDIRECT --to-port 25

Don't forget to add a proper line to your initializing scripts.

5.7. Is it possible to limit bandwidth on a per-user basis with cbq.init script?

Yes. Look inside this script; there are some examples.

5.8. Whenever I start cbq.init, it says sch_cbq is missing.

Probably you don't have CBQ as modules in your system. If you have compiled CBQ into your kernel, comment out the following lines in your cbq.init-v0.6.2 script.

### If you have cbq, tbf and u32 compiled into kernel, comment it out
#for module in sch_cbq sch_tbf sch_sfq sch_prio cls_u32; do
#        if ! modprobe $module; then
#               echo "**CBQ: could not load module $module"
#               exit
#        fi
#done

5.9. CBQ sometimes doesn't work for no reason.

Generally it shouldn't occur. Sometimes, you can observe mass downloads, though you think you have blocked all ports Napster or Audiogalaxy uses. Well, there is always one more port open for mass downloads. To find it, you can use IPTraf. As there can be possibly thousands of such ports, it can be really hard task for you. To make it easier, you can consider running your own SOCKS proxy - Napster, Audiogalaxy and many programs can use SOCKS proxies, so it's much easier to deal with just one port, than to do so with thousands of possibilites (standard SOCKS port is 1080, if you run your own SOCKS proxy server, you will be able to set it up differently, or run multiple instances of SOCKS proxy listening on different ports). Don't forget to close all ports for traffic, and leave open ports like 25 and 110 (SMTP and POP3), and other you think might be useful. You will find a link to awesome Nylon socks proxy server at the end of this HOWTO.

5.10. Delay pools are stupid; why can't I download something at full speed when the network is used only by me?

Unfortunately, you can't do much about it.

The only thing you can do is to use cron and reconfigure it, for example, at 1.00 am, so that Squid won't use delay pools, then reconfigure it again, let's say at 7.30 am, to use delay pools.

To do this, create two separate config files, called for example squid.conf-day and squid.conf-night, and put them into /opt/squid/etc/.

squid.conf-day would be the exact copy of a config we created earlier

squid.conf-night, on the contrary, would not have any delay pool lines, so all you have to do is to comment them out.

Next thing you have to do is to set up /etc/crontab entries correctly.

Edit /etc/crontab and put the following lines there:

#SQUID - night and day config change
01 9 * * * root /bin/cp -f /opt/squid/etc/squid.conf-day /opt/squid/etc/squid.conf; /opt/squid/bin/squid -k reconfigure
59 23 * * * root /bin/cp -f /opt/squid/etc/squid.conf-night /opt/squid/etc/squid.conf; /opt/squid/bin/squid -k reconfigure

5.11. My downloads break at 23:59 with "acl day time 09:00-23:59" in squid.conf. Can I do something about it?

You can achieve by removing that acl from your squid.conf, and "delay_access 2 allow dzien delay_access 2 deny !dzien" as well.

Then try to do it with cron as in the question above.

5.12. Squid's logs grow and grow very fast, what can I do about it?

Indeed, the more users you have, the more - sometimes useful - information will be logged.

The best way to eradicate it would be to use logrotate, but you'd have to do a little trick to make it work with Squid: proper cron and logrotate entries.

/etc/crontab entries:

#SQUID - logrotate
01 4 * * * root /opt/squid/bin/squid -k rotate; /usr/sbin/logrotate /etc/logrotate.conf; /bin/rm -f /var/log/squid/*.log.0

Here we have caused logrotate to start daily at 04:01 am, so remove any remaining logrotate starting points, for example from /etc/cron.daily/.

/etc/logrotate.d/syslog entries:

#SQUID logrotate - will keep logs for 40 days
/var/log/squid/*.log.0 {
rotate 40
compress
daily
postrotate
/usr/bin/killall -HUP syslogd
endscript
}

5.13. CBQ is stupid; why can't I download something at full speed when the network is used only be me?

Lucky you, it's possible!

There are to ways to achieve it.

The first is the easy one, similar to the solution we've made with Squid. Insert a line similar to the one below to your CBQ config files placed in /etc/sysconfig/cbq/:

TIME=00:00-07:59;110Kbit/11Kbit

You can have multiple TIME parameters in your CBQ config files.

Be careful though, because there is a small bug in that cbq.init-v0.6.2 script - it won't let you set certain times, for example 00:00-08:00! To make sure if everything is working correctly, start cbq.init-v0.6.2, and then within the time you set, type

/etc/rc.d/cbq.init-v0.6.2 timecheck

This is the example how the proper output should look like:

[root@mangoo rc.d]# ./cbq.init start; ./cbq.init timecheck **CBQ: 3:44: class 10 on eth0 changed rate (20Kbit -> 110Kbit) **CBQ: 3:44: class 40 on ppp0 changed rate (15Kbit -> 110Kbit) **CBQ: 3:44: class 50 on eth0 changed rate (35Kbit -> 110Kbit)

In this example something went wrong, probably in the second config file placed in /etc/sysconfig/cbq/; second counting from the lowest number in its name:

[root@mangoo rc.d]# ./cbq.init start; ./cbq.init timecheck **CBQ: 3:54: class 10 on eth0 changed rate (20Kbit -> 110Kbit) ./cbq.init: 08: value too great for base (error token is "08")

The second way to make CBQ more intelligent is harder - it doesn't depend on time. You can read about it in the Linux 2.4 Advanced Routing HOWTO, and play with tc command.

    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
CryptoWall’s Haul: $1M in Six Months
A Google Site Meant to Protect You Is Helping Hackers Attack You
The Main Suspect Blamed For The Jennifer Lawrence Nude Leak Says He Is Innocent
Inside Google's Secret Drone-Delivery Program
Hackers Build a Skype That’s Not Controlled by Microsoft
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.