Re: [squid-users] For admins that wanted to stop torrent downloads

From: Amos Jeffries <[email protected]>
Date: Tue, 23 Oct 2007 21:47:12 +1300

SSCR Internet Admin wrote:
> It seems that I am observing now, 90% of torrent downloads are not
> connecting... I guess I would try several days, if these active connecting
> torrent can actually connect... This is somewhat useful as of now on my
> opinion, it cuts down torrent access...

As would redirecting all traffic to /dev/null
At present you are using a large memory/cpu-using process (squid) as a
cheap blackhole.
Squid is just receiving many requests it cant hanlde and drops almost
immediately. There is other software available much better suited to
that than squid.

My point about REDIRECT/DNAT is the kernel-level differences between
DNAT and REDIRECT that allow transparent mode to operate better with
REDIRECT. Torrents still remain an unknown method to current generations
of squid regardless of how they reach squid.

Amos

>
> -----Original Message-----
> From: Amos Jeffries [mailto:squid3@treenet.co.nz]
> Sent: Tuesday, October 23, 2007 3:22 PM
> To: SSCR Internet Admin
> Cc: squid-users@squid-cache.org
> Subject: Re: [squid-users] For admins that wanted to stop torrent downloads
>
> SSCR Internet Admin wrote:
>> Hi,
>>
>> I am experimenting on how to stop torrent downloads, but when a torrent
>> client already established a connection, it don't drop the packets at all.
>> I hope someone could share a thought or two about my approach....
>>
>> 1. Run squid on transparent mode
>> 2. I run this iptables command...
>>
>> #Reroute all ports to port 3128
>> $IPT -t nat -I PREROUTING -i $INT -p tcp --dport 80 -j DNAT --to
>> 192.168.100.1:3128
>
> Target to use is REDIRECT not DNAT.
> Or on systems with appropriately patched kernel TPROXY target is available.
>
> <snip remaining list of ports>
>
>> 4. I have found this logs on cache.log
>>
>> 2007/10/23 13:47:42| parseHttpRequest: Requestheader contains NULL
>> characters
>> 2007/10/23 13:47:42| parseHttpRequest: Unsupported method 'BitTorrent'
>> 2007/10/23 13:47:42| clientReadRequest: FD 137 (192.168.100.61:3907)
> Invalid
>> Request
>> 2007/10/23 13:47:43| parseHttpRequest: Requestheader contains NULL
>> characters
>> 2007/10/23 13:47:43| parseHttpRequest: Unsupported method 'BitTorrent'
>> 2007/10/23 13:47:43| clientReadRequest: FD 89 (192.168.100.61:3908)
> Invalid
>> Request
>> 2007/10/23 13:47:43| parseHttpRequest: Requestheader contains NULL
>> characters
>> 2007/10/23 13:47:43| parseHttpRequest: Unsupported method 'BitTorrent'
>> 2007/10/23 13:47:43| clientReadRequest: FD 152 (192.168.100.61:3909)
> Invalid
>>
>> I don't know if these experiment also exist, but it's a good way, maybe
>> someone could make a patch that blocks torrents or p2p apps based on the
>> cache.log results.
>>
>
> Better yet. The dev team is looking for somebody interested in adding
> full Torrent support to squid.
> That would entail adding settings and ACL to configure access/denial
> properly.
>
> Amos
>
Received on Tue Oct 23 2007 - 02:47:17 MDT

This archive was generated by hypermail pre-2.1.9 : Thu Nov 01 2007 - 13:00:01 MDT