Introduction

Squid has a feature called delay pools, which allows us to control download bandwidth. Unfortunately, in most distributions, Squid is shipped without that feature.

So if you have Squid already installed, I must disappoint you — you need to uninstall it and do it once again with delay pools enabled in the way I explain below.

1. To get maximum performance from our Squid proxy, it’s best to create a separate partition for its cache, called /cache/. Its size should be about 300 megabytes, depending on our needs.

If you don’t know how to make a separate partition, you can create the /cache/ directory on a main partition, but Squid performance can suffer a bit.

2. We add a safe ’squid’ user:

# useradd -d /cache/ -r -s /dev/null squid >/dev/null 2>&1

No one can log in as squid, including root.

3.We download latest Squid sources from http://www.squid-cache.org http://www.squid-cache.org/Versions/v2/2.4/squid-2.4.STABLE1-src.tar.gz

4.We unpack everything to /var/tmp:

# tar xzpf squid-2.4.STABLE1-src.tar.gz

5.We compile and install Squid (everything is in one line):

# ./configure –prefix=/opt/squid –exec-prefix=/opt/squid – enable-delay-pools –enable-cache-digests –enable-poll – disable-ident-lookups –enable-truncate –enable-removal- policies
# make all
# make install

[Edit section] Configuring Squid to use the delay pools feature

1. Configure our squid.conf file (located under /opt/squid/etc/squid.conf):

#squid.conf
#Every option in this file is very well documented in the original squid.conf file
#and on http://www.visolve.com/squidman/Configuration%20Guide.html

#
#The ports our Squid will listen on.
http_port 8080
icp_port 3130
#cgi-bins will not be cached.
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
#Memory the Squid will use. Well, Squid will use far more than that.
cache_mem 16 MB
#250 means that Squid will use 250 megabytes of disk space.
cache_dir ufs /cache 250 16 256

#Places where Squid’s logs will go to.
cache_log /var/log/squid/cache.log
cache_access_log /var/log/squid/access.log
cache_store_log /var/log/squid/store.log
cache_swap_log /var/log/squid/swap.log
#How many times to rotate the logs before deleting them.
#See the FAQ for more info.
logfile_rotate 10

redirect_rewrites_host_header off
cache_replacement_policy GDSF
acl localnet src 192.168.1.0/255.255.255.0
acl localhost src 127.0.0.1/255.255.255.255
acl Safe_ports port 80 443 210 119 70 20 21 1025-65535
acl CONNECT method CONNECT
acl all src 0.0.0.0/0.0.0.0
http_access allow localnet
http_access allow localhost
http_access deny !Safe_ports
http_access deny CONNECT
http_access deny all
maximum_object_size 3000 KB
store_avg_object_size 50 KB

#Set these if you want your proxy to work in a transparent way.
#Transparent proxy means you generally don’t have to configure all
#your client’s browsers, but hase some drawbacks too.
#Leaving these uncommented won’t do any harm.
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

#all our LAN users will be seen by external web servers
#as if they all used Mozilla on Linux.
anonymize_headers deny User-Agent
fake_user_agent Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.6+) Gecko/20011122

#To make our connection even faster, we put two lines similar
#to the ones below. They will point a parent proxy server our own Squid
#will use. Don’t forget to change the server to the one that will
#be fastest for you!
#Measure pings, traceroutes and so on.
#Make sure that http and icp ports are correct.

#Uncomment lines beginning with “cache_peer” if necessary.
#This is the proxy you are going to use for all connections…
#cache_peer w3cache.icm.edu.pl parent 8080 3130 no-digest default

#…except for the connections to addresses and IPs beginning with “!”.
#It’s a good idea not to use a higher
#cache_peer_domain w3cache.icm.edu.pl !.pl !7thguard.net !192.168.1.1

#This is useful when we want to use the Cache Manager.
#Copy cachemgr.cgi to cgi-bin of your www server.
#You can reach it then via a web browser typing
#the address http://your-web-server/cgi-bin/cachemgr.cgi
cache_mgr your@email
cachemgr_passwd secret_password all

#This is a name of a user our Squid will work as.
cache_effective_user squid
cache_effective_group squid

log_icp_queries off
buffered_logs on

[Edit section] Delay Pools

#This is the most important part for shaping incoming traffic with Squid
#For detailed description see squid.conf file or docs at http://www.squid-cache.org

#We don’t want to limit downloads on our local network.
acl magic_words1 url_regex -i 192.168

#We want to limit downloads of these type of files
#Put this all in one line
acl magic_words2 url_regex -i ftp .exe .mp3 .vqf .tar.gz .gz .rpm .zip .rar .avi .mpeg .mpe .mpg .qt
.ram .rm .iso .raw .wav .mov
#We don’t block .html, .gif, .jpg and similar files, because they
#generally don’t consume much bandwidth

#We want to limit bandwidth during the day, and allow
#full bandwidth during the night
#Caution! with the acl below your downloads are likely to break
#at 23:59. Read the FAQ in this bandwidth if you want to avoid it.
acl day time 09:00-23:59

#We have two different delay_pools
#View Squid documentation to get familiar
#with delay_pools and delay_class.
delay_pools 2

#First delay pool
#We don’t want to delay our local traffic.
#There are three pool classes; here we will deal only with the second.
#First delay class (1) of second type (2).
delay_class 1 2

#-1/-1 mean that there are no limits.
delay_parameters 1 -1/-1 -1/-1

#magic_words1: 192.168 we have set before
delay_access 1 allow magic_words1

#Second delay pool.
#we want to delay downloading files mentioned in magic_words2.
#Second delay class (2) of second type (2).
delay_class 2 2

#The numbers here are values in bytes;
#we must remember that Squid doesn’t consider start/stop bits
#5000/150000 are values for the whole network
#5000/120000 are values for the single IP
#after downloaded files exceed about 150000 bytes,
#(or even twice or three times as much)
#they will continue to download at about 5000 bytes/s

delay_parameters 2 5000/150000 5000/120000
#We have set day to 09:00-23:59 before.
delay_access 2 allow day
delay_access 2 deny !day
delay_access 2 allow magic_words2

#EOF

Hear in delay_parameters 2 5000/150000 5000/120000 we can change the numbers according to our requirement. For example if we want to restrict our lan users to give download speed of 20 KB/Sec with a bucket size 12 MB and to whole network a download speed of 25 KB/Sec with a bucket size 25 MB, change this line to delay_parameters 2 25000/250000 20000/120000

OK, when we have configured everything, we must make sure everything under /opt/squid and /cache directories belongs to user ’squid’.

# mkdir /var/log/squid/
# chown squid:squid /var/log/squid/
# chmod 770 /var/log/squid/
# chown -R squid:squid /opt/squid/
# chown -R squid:squid /cache/

Now everything is ready to run Squid. When we do it for the first time, we have to create its cache directories:

# /opt/squid/bin/squid -z

We run Squid and check if everything is working. A good tool to do that is IPTraf; you can find it on http://freshmeat.net. Make sure you have set the appropriate proxy in your web browsers (192.168.1.1, port 8080 in our example):

# /opt/squid/bin/squid

If everything is working, we add /opt/squid/bin/squid line to the end of our initializing scripts. Usually, it can be /etc/rc.d/rc.local.

Other helpful options in Squid may be:

# /opt/squid/bin/squid -k reconfigure
(it reconfigures Squid if we made any changes in its squid.conf file)
# /opt/squid/bin/squid -help self-explanatory

You can also copy cachemgr.cgi to the cgi-bin directory of your WWW server, to make use of a useful Cache Manager.
Related Content
Quote From: http://wiki.ittoolbox.com/index.php/Install_Squid_with_delay_pools

No tags

This photoshop tutorial will show you how you can create a vector style poster design. Yep, it includes that spiffy “sun ray” element that’s hot right now. So, fire up Photoshop and let’s get started.

The first thing you’ll need to do is get some brushes, and find a good stock picture. Here’s a ZIP file with the brushes you’ll need, as well as the stock picture I used.
Resources

Install the brush files in C:\Program Files\Adobe\Photoshop CS2\Presets\Brushes\Photoshop Only, or wherever your photoshop is installed to.

Step 1

Open a new document in Photoshop, set the dimensions to 500 x 500. Set your foreground and background colors to #12d60d and #22a61b . Create a new laye, and then select the gradient tool (or hit G), then click the gradient preview on gradient toolbar, and set it to Foreground to Background.

On the new layer, click in the middle of the document, then drag (while holding the mouse, and shift) up to the top of the document, then release.

Now, make a new layer, and set the foreground color to #11860b, and click the brush tool. Load Vector 2 by Physical Magic, and select the first brush. Resize it to 700 or so, and click in on the center of the document. Now your design should look like this.

On the “sun ray” layer, set the layer style to this.

Now you are done with the background design.

Step 2

Next, open up the fist stock image included in the zip file. Extract it from the white background. Once you have a layer with just the first on it, go to Image > Adjustments > Threshold. Then enter 160, and hit ok.

Then, go to Filter > Artistic > Cutout, and enter these setting:

• Number of Levels: 8
• Edge Simplicity: 2
• Edge Fidelity: 2

Now, when you extracted the first, depending on what method you used, you might have some little white pixels randomly in the image. To get rid of these, use the lasso tool / polygon lasso tool to select the first. Give it some padding when you select it, so that you aren’t exactly on the first. Then just right click, select inverse, and hit delete. Now you have a clean extraction, that looks like this.

Step 3

Ok, drag the first layer onto the original document, and resize it to 60-70%, and center it. Now, add this layer style (the stroke is 10px, white; the colors for the gradient are #dcb48a to #dd8e4d.)

Step 4

Make a new layer under the fist layer. Grab the brush tool (or hit B), and then select BRUSHES_01_02, or load the brush set if you haven’t already. Grab a few of the brushes, resize them to around 500, and click in the center of the image. Here’s what I got:

Step 5

Now for the last step. Go to Google, and image search “family crest” or “coat of arms,” and limit the results to just high resolution. Then find an image with a banner that you like, and copy it into photoshop. Loosely cut out the banner, and clone or copy out the text on it, replacing it with your own in whatever font you like. Add a drop shadow to the banner layer, and whatever font styling you want. Here’s what mine looks like:

This tutorial is created by: http://tutorialaday.com/awesome-photoshop-vector-style-poster-design/

No tags

#!/bin/sh
#create a firewall for this machine
IPTABLES=/usr/sbin/iptables
EXTIP=123.123.123.123

$IPTABLES -F
/sbin/modprobe ipt_state
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp

# Disable response to broadcasts.
# You don’t want yourself becoming a Smurf amplifier.
/bin/echo “1″ > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Don’t accept source routed packets. Attackers can use source routing to generate
# traffic pretending to be from inside your network, but which is routed back along
# the path from which it came, namely outside, so attackers can compromise your
# network. Source routing is rarely used for legitimate purposes.
/bin/echo “0″ > /proc/sys/net/ipv4/conf/all/accept_source_route

# Disable ICMP redirect acceptance. ICMP redirects can be used to alter your routing
# tables, possibly to a bad end.
/bin/echo “0″ > /proc/sys/net/ipv4/conf/all/accept_redirects

# Enable bad error message protection.
/bin/echo “1″ > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

# Turn on reverse path filtering. This helps make sure that packets use
# legitimate source addresses, by automatically rejecting incoming packets
# if the routing table entry for their source address doesn’t match the network
# interface they’re arriving on. This has security advantages because it prevents
# so-called IP spoofing, however it can pose problems if you use asymmetric routing
# (packets from you to a host take a different path than packets from that host to you)
# or if you operate a non-routing host which has several IP addresses on different
# interfaces. (Note – If you turn on IP forwarding, you will also get this).
for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do
/bin/echo “1″ > ${interface}
done

# Log spoofed packets, source routed packets, redirect packets.
/bin/echo “1″ > /proc/sys/net/ipv4/conf/all/log_martians

# Make sure that IP forwarding is turned off. We only want this for a multi-homed host.
/bin/echo “0″ > /proc/sys/net/ipv4/ip_forward

#defualts
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP

#internal range is not blocked
$IPTABLES -A INPUT -i eth0 -j ACCEPT

#ping
$IPTABLES -A INPUT -p icmp -j ACCEPT
#dns
$IPTABLES -A INPUT -i eth1 -d $EXTIP -s 217.33.150.220 -p tcp –sport 53 -j ACCEPT
$IPTABLES -A INPUT -i eth1 -d $EXTIP -s 217.33.150.220 -p udp –sport 53 -j ACCEPT
$IPTABLES -A INPUT -i eth1 -d $EXTIP -s 217.33.150.221 -p tcp –sport 53 -j ACCEPT
$IPTABLES -A INPUT -i eth1 -d $EXTIP -s 217.33.150.221 -p udp –sport 53 -j ACCEPT

#allow ftp from anywhere
$IPTABLES -A INPUT -i eth1 -d $EXTIP -p tcp –dport 21 -j ACCEPT
$IPTABLES -A INPUT -i eth1 -d $EXTIP -p tcp –dport 20 -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i eth1 -d $EXTIP -p tcp –sport 1024: –dport 1024: -m state –state ESTABLISHED,RELATED -j ACCEPT

#drop everything else on this interface
$IPTABLES -A INPUT -i eth1 -d $EXTIP -j LOG

$IPTABLES -L -n -v

Download Here

Source from: http://www.thedumbterminal.co.uk/config/

No tags

Sniff – Overview

Makes output from the tcpdump program easier to read and parse.

This software is now redundant as ASCII support as since been added to tcpdump in version 3.8.
Features

* Coloured console output
* Directly accepts tcpdump options (including parsing from packet files)
* Fully customisable output

Requirements

* Linux operating system
* Perl installed
* tcpdump program installed
* Privileges in order to run tcpdump
Sniff – Help

Run the following command for help.

./sniff -h

Sniff options should be placed before the double dash (–) and tcpdump options should be placed after. Here are some examples of how to use sniff.

Capture all incoming FTP packets on eth1 without using colour
As you can see any options after the double-dash “–” are standard tcpdump options.

./sniff -c — -i eth1 tcp port 21

Real time logging to a CSV file
The example below uses the following options:
Enclose data with ” character (-e\”)
Separator lines with the , character (-n,)
Print the separator once only (-t0)
Dont use colour (-c)

./sniff -e\” -n, -s -t0 -c > /tmp/dump.csv

Converting a tcpdump dumb file into CSV format
First use tcpdump to make the dump file, you must use the “-lx -s 1024″ options at least. For example:

tcpdump -lx -s 1024 -w /tmp/dump.txt

Then run sniff with the required options, note the tcpdump options stating to read from the previously created file.

./sniff -e\” -n, -s -t0 -c — -r /tmp/dump.txt > /tmp/dump.csv

Sniff Tool – Downloads

Source from: http://www.thedumbterminal.co.uk/software/sniff.shtml

No tags

CREATING ACL CONTENT

To start, you’re going to create a few files that will hold certain pieces of information. These files will later be referenced by Squid when you create the actual acls. The files you’re going to create are:

* A list of domains to block
* A list of file types to block
* A list of ads to block
* A list of your internal subnets

All of these are just basic text files that can be created with your favorite editor, however the author recommends Vim. Start with the list of blocked domains. This will be a list, one per line, of sites that you want to deny access to to your users. Create a file like the following and save it as /etc/squid/denied_domains.acl .

Listing 1. Blocked domain list: /etc/squid/denied_domains.acl

.sex.com
.hackers.com
.xemacs.org

Next up is the list of file types to block. Create a file called /etc/squid/denied_filetypes.acl and add the following to it.
Listing 2. Blocked file type list: /etc/squid/denied_filetypes.acl
.(exe)$
.(zip)$
.(mp3)$
Now for a little ad blocking. I don’t like those pesky advertisement. This won’t block everything, but it makes a good bit of difference. An excerpt from my file is below, but you can find an entire copy of my ad block list here.
Listing 3. Excerpt from /etc/squid/denied_ads.acl
/adv/.*.gif$
/[Aa]ds/.*.gif$
/[Aa]d[Pp]ix/
/[Aa]d[Ss]erver
/[Aa][Dd]/.*.[GgJj][IiPp][FfGg]$
/[Bb]annerads/

Finally, you need a list of all your internal subnets. Here’s how that one should look.
Listing 4. Blocked file type list: /etc/squid/student_subnets.acl

192.168.10.0/24
192.168.11.0/24
192.168.12.0/24
192.168.13.0/24

CREATING USER NOTIFICATION SCREENS

The user notification screen are what will tell a user that they have tried to access a forbidden website, attempted to download an unauthorized file type, or are having advertisements filtered from the page they are viewing. They aren’t extremely necessary, as Squid comes with acceptable defaults, but they help make an impression on the users. You’ll need need three files, one each for denied sites, files, and ads.

The screens I use are simple modified versions of the defaults supplied with a little more color to make them a bit more recognizable. When a user attempts to access a site that is forbidden, they are presented a red screen. After seeing this screen once, users know immediately what it means.
Listing 5. Site Access Denied User Screen

Listing 6. File Access Denied User Screen
Attempting to access a denied file type displays a similar screen, only this one is yellow.

The screen used to replace blocked advertisements is a little different. It’s a solid white page and the only text is “Ad filtered!”. However, you never actually see the page. The header of the page contains a meta tag that redirects the user immediatly when that page loads to a 4 pixel by 4 pixel transparent GIF hosted directly on the proxy.

These files need to be saved in your Squid errors directory. In Gentoo this can be reached at /etc/squid/errors, but it may be different for Red Hat and others. Download the following files and place then in that directory. Remove the “.txt” extension once they’re there.

* Denied site
* Denied file
* Denied ad

And here’s a 4×4 transparent GIF if you need one.

* 4×4.gif

PUTTING IT ALL TOGETHER

First add the directives for the user error screens since they are the easiest. This is done by adding a couple of deny_info lines to your Squid config.
Listing 7. Excerpt From File: /etc/squid/squid.conf

deny_info NOTE_ADS_FILTERED url_ads
deny_info NOTE_FILETYPES_FILTERED filetypes

There’s no need to directly reference the ERR_ACCESS_DENIED file since all you’ve really done is tweak an already existing file.

It’s finally time to add your acls that you built content for at the beginning. In the acl block in your configuration, add the following lines.
Listing 8. Excerpt From File: /etc/squid/squid.conf

acl denied_domains dstdomain "/etc/squid/denied_domains.acl"
acl filetypes urlpath_regex -i "/etc/squid/filetypes.acl"
acl url_ads url_regex "/etc/squid/banner-ads.acl"
acl students src "/etc/squid/student_domains.acl"

Now that Squid knows what types of information you want to control and what to do when accessed by a user, you need to tell Squid how to tie the pieces of information together. This is easily done with a few http_access rules.
Listing 9. Excerpt From File: /etc/squid/squid.conf

http_access deny url_ads
http_access deny students filetypes
http_access deny denied_domains

It’s important to order your http_access lines correctly, or your users may not get the access you’re expecting to give them! A final version of the config you’ve been working on can be found here so you can see a good order to place them in.

Config example:
#http_port 3128
cache_mgr you@yourdomain.com
log_fqdn on
ftp_user anonymous@yourdomain.com
log_icp_queries off
httpd_accel_with_proxy off
httpd_accel_uses_host_header off
visible_hostname hostname
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl localnet src 0.0.0.0/0.0.0.0
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 901 # SWAT
acl Safe_ports port 19638 # Battletechuniverse.org https webmail
acl purge method PURGE
acl CONNECT method CONNECT
acl denied_domains dstdomain "/etc/squid/denied_domains.acl"
acl students src "/etc/squid/student_domains.acl"
acl filetypes urlpath_regex -i "/etc/squid/filetypes.acl"
acl url_ads url_regex "/etc/squid/banner-ads.acl"

deny_info NOTE_ADS_FILTERED url_ads
deny_info NOTE_FILETYPES_FILTERED filetypes
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny url_ads
http_access deny students filetypes
http_access deny denied_domains
http_access allow all

No tags