Hi all, I''ve just built Mandrake 10.1 on a Compaq Deskpro that I''ve built as a router/firewall and am redirecting port 80 outbound to force users through the Content Filter. I''ve run this setup on Mandrake 9.0 and 10.0 without any problems but this time the following happens. Squid is accessed through port 3128 and Dansguardian via 8080. If I set my browser on a client to use the router/firewall proxy port 3128 and remove the redirect the connection is like lighting. Similarly, If I set the browser to use port 8080 it''s rapid and the filter kicks in if pushed to a smut site. If I set the shorewall up on the router using: REDIRECT loc 3128 tcp 80 - or REDIRECT loc 8080 tcp 80 - in the rules file it takes anywhere between 10 -> 20 seconds to load a page and often times out. Squid is set up with the http_accel options correctly configured and I think I''m getting to the point where I can''t see the wood from the trees. Anyone else come up with this problem? Spec as follows: Compaq deskpro - 450MHz P2 96MB RAM Alcatel Speedtouch 330v1 USB DSL modem Mandrake 10.1 Power Pack No GUI running at all Shorewall v2.0.8 Squid v2.5.STABLE6 DansGuardian 2.7.7-8 CPU load is shown as 0 -> 5% when browsing and disk activity is minimal even when proxying. 50MB RAM in use with no activity in the swap file at all so I can''t see the load being that high. Cheers, Jools
On Tue, 2005-01-04 at 00:37 +0000, jools wrote:> Hi all, > > I''ve just built Mandrake 10.1 on a Compaq Deskpro that I''ve built as a > router/firewall and am redirecting port 80 outbound to force users through > the Content Filter. I''ve run this setup on Mandrake 9.0 and 10.0 without any > problems but this time the following happens.Posting the same problem twice in less than an hour does not improve your service time. On the contrary, I''m now going to ignore your post until tomorrow. Have a nice night, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
A thousand apologies. I had the mail cc''d to the Squid list but it bounced as my subscription had not yet cleared. Resent it without thinking to remove the shorewall address so it went to this list twice. Late night, not enough caffeine ;) Cheers, Jools On Tuesday 04 Jan 2005 01:33, Tom Eastep wrote:> On Tue, 2005-01-04 at 00:37 +0000, jools wrote: > > Hi all, > > > > I''ve just built Mandrake 10.1 on a Compaq Deskpro that I''ve built as a > > router/firewall and am redirecting port 80 outbound to force users > > through the Content Filter. I''ve run this setup on Mandrake 9.0 and 10.0 > > without any problems but this time the following happens. > > Posting the same problem twice in less than an hour does not improve > your service time. On the contrary, I''m now going to ignore your post > until tomorrow. > > Have a nice night, > > -Tom
On Tue, 2005-01-04 at 00:37 +0000, jools wrote:> Hi all, > > I''ve just built Mandrake 10.1 on a Compaq Deskpro that I''ve built as a > router/firewall and am redirecting port 80 outbound to force users through > the Content Filter. I''ve run this setup on Mandrake 9.0 and 10.0 without any > problems but this time the following happens. > > Squid is accessed through port 3128 and Dansguardian via 8080. > > If I set my browser on a client to use the router/firewall proxy port 3128 and > remove the redirect the connection is like lighting. Similarly, If I set the > browser to use port 8080 it''s rapid and the filter kicks in if pushed to a > smut site. > > If I set the shorewall up on the router using: > > REDIRECT loc 3128 tcp 80 - > > or > > REDIRECT loc 8080 tcp 80 - > > in the rules file it takes anywhere between 10 -> 20 seconds to load a page > and often times out. Squid is set up with the http_accel options correctly > configured and I think I''m getting to the point where I can''t see the wood > from the trees. Anyone else come up with this problem?The only problem remotely similar to this one that I can recall was caused by conntrack table overflow. There are two factors: a) When using transparent proxying, there are almost exactly twice as many connections to track as when using no proxy and a significant percentage more connections than when using a static proxy. b) The conntrack table is sized based on the amount of RAM in the system and you have a very small amount of RAM. So I would look at the system logs to see if this is a possible cause -- if it is, check the archives for instructions on increasing the table size. You can increase it easily without rebooting but for best performance, you need to also increase the hash table size which requires that the conntrack module be unloaded. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Hi Tom, Just wanted to say thanks for getting back. I tried the conntrack fix and Googled for more info but ultimately I think I was just pushing the PC too hard. Couldn''t find any RAM in my cupboard that would work with the Compaq so I hauled out an old 500 P3 and stuck 384MB of PC100 in it. That sorted the performance problem ;) Cheers again and thanks for Shorewall. I''ve always found GUI''s too restrictive and I don''t have the time to get my head around IPtables. Shorewall is the perfect balance and well recommended. All the best, Jools On Tuesday 04 Jan 2005 14:51, Tom Eastep wrote:> On Tue, 2005-01-04 at 00:37 +0000, jools wrote: > > Hi all, > > > > I''ve just built Mandrake 10.1 on a Compaq Deskpro that I''ve built as a > > router/firewall and am redirecting port 80 outbound to force users > > through the Content Filter. I''ve run this setup on Mandrake 9.0 and 10.0 > > without any problems but this time the following happens. > > > > Squid is accessed through port 3128 and Dansguardian via 8080. > > > > If I set my browser on a client to use the router/firewall proxy port > > 3128 and remove the redirect the connection is like lighting. Similarly, > > If I set the browser to use port 8080 it''s rapid and the filter kicks in > > if pushed to a smut site. > > > > If I set the shorewall up on the router using: > > > > REDIRECT loc 3128 tcp 80 - > > > > or > > > > REDIRECT loc 8080 tcp 80 - > > > > in the rules file it takes anywhere between 10 -> 20 seconds to load a > > page and often times out. Squid is set up with the http_accel options > > correctly configured and I think I''m getting to the point where I can''t > > see the wood from the trees. Anyone else come up with this problem? > > The only problem remotely similar to this one that I can recall was > caused by conntrack table overflow. There are two factors: > > a) When using transparent proxying, there are almost exactly twice as > many connections to track as when using no proxy and a significant > percentage more connections than when using a static proxy. > > b) The conntrack table is sized based on the amount of RAM in the system > and you have a very small amount of RAM. > > So I would look at the system logs to see if this is a possible cause -- > if it is, check the archives for instructions on increasing the table > size. You can increase it easily without rebooting but for best > performance, you need to also increase the hash table size which > requires that the conntrack module be unloaded. > > -Tom