From mboxrd@z Thu Jan 1 00:00:00 1970 From: Evgeni Gechev Date: Thu, 08 Apr 2004 17:38:04 +0000 Subject: Re: [LARTC] Squid + shaping question Message-Id: <40758DFC.3080107@setcom.bg> List-Id: References: <20040408003240.77A644456@outpost.ds9a.nl> In-Reply-To: <20040408003240.77A644456@outpost.ds9a.nl> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: lartc@vger.kernel.org Short: you need zph patch. Detailed: you could use both, if you need. They just do different jobs. With the first patch you could control outgoing connections, i.e. communication between squid and web servers/peers. With the second patch (zph), you could control communication between squid and clients, and as I understand, this is what you are interested in. Teodor Yantchev wrote: >Hi folks, > >So, I have a pretty simple setup - a linux router machine running as a >firewall/router for a small neighborhood LAN (approx 20 machines). I also >have squid running on the box in non-transparent mode, and also I have set >up NAT for TCP/UDP ports above 1024 for all clients and SSH/POP/SMTP/CVS >NAT'd for selected ones based on MAC filtering. No hosts whatsoever can >access ports 80 and 443 without going through squid. The uplink to the >internet is 512kbit/s downstream and 64kbit/s upstream cable modem connected >on eth1 (LAN on eth0, no DMZ). >When the LAN started to grow from a few well known friends of mine to more >people I didn't know so well 'social shaping' stopped working for us - bulk >downloaders started to saturate the link so badly that I even couldn't use >acceptably ssh from outside. So - the usual solution - www.lartc.org. >I did a lot of reading on the topic (This really got me interested in) and >finally ended up installing a self-modified version of wondershaper on the >external interface. This did solve the problem of me having usable ssh from >my office to the router machine, and the ingress qdisc partially solved the >problem of the downlink being fairly distributed between all incoming >connections - but as most of you know this is a half-baked bread. What I >think should be done is shaping the internal interface - BUT - the squid >in-between causes trouble. >So the question is - How to differentiate between traffic served from >squid's cache and traffic squid got directly from the internet ? >Shaping/policing all web traffic negates the benefits of having a caching >proxy pretty much. >After lots of googling and reading(at one point I was ready to completely >forget squid) a came up with the following alternatives, both found on the >FAQ section of www.docum.org - 'SQUID zero penalty for HIT traffic patch' by >a fellow bulgarian Marin Stavrev, and a patch giving you the ability to 'use >ACL lists to put packets in classes' by a guy named Patrick. >I'd like to ask you for your experiences with those, which one is better, >any other alternatives you know of and of course general >recipes/recommendations for solving my problem. > >Well, That's it put shortly in an over-sized mail. Thanks in advance for >your advice. > >Regards, >Teddy > > >_______________________________________________ >LARTC mailing list / LARTC@mailman.ds9a.nl >http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > > > > _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/