Re: [K12OSN] CIPA and Squidguard

[Mike Rambo <mrambo lsd k12 mi us>]

Ryan Collins wrote:
> 
> Mike Rambo said:
> > Even the consultant we had assisting
> > didn't give ipchains a second thought when he discovered it appeared to
> > support port forwarding similarly to iptables. The thing is, ipchains
> > doesn't work right. Using ipchains brought the system to it's knees in
> > less than two minutes once we redirected all our http traffic to it. I
> > went through this for the better part of a week until our consultant
> > (president of a mid-michigan ISP who was donating time to help us out)
> > came back in and redid the whole thing per the howto and figured out
> > ipchains had been the problem.
> >
> > All this to say that an explicit warning against using ipchains may help
> > out someone else who is tempted to do what we did out of convenience.
> 
> Can I ask what issues you were having? We've been using ipchains to
> transparently proxy our network for 2 1/2 years now and haven't had a
> problem (~600 machines, around half active on the net at a time).
> 

I never determined exactly what precipitated the failure. The symptoms
were that a dual PIII 733 box with 1GB ram would fall over in under two
minutes if we redirected all our http traffic (usually 4.5M - 5.5M) to
squid. Squid would complain about having insufficient redirectors and
hit the floor. I put out several messages at the time on this list
asking for help - they should be in the archives. Henrik Nordstrom on
the squid ML said there were known memory leaks with ipchains on a 2.4
kernel (we were running k12ltsp v2.1.0). Others thought that traffic was
looping through the system until the TTL expired or something similar. I
don't know which it was, if either. I can say we never appeared to run
out of memory. Of the 1GB, it seldom used over 500MB at the time. If we
limited the traffic to just the elementary schools the box didn't fall
over (although it nearly maxed both cpu's) and we didn't notice any slow
down in accessing pages either. Seems like we would have if traffic was
looping through or something.

All I know is that when our consultant came back and changed the whole
system (he went with Mandrake 9.0 - he wanted something entirely
different because at the time he wasn't sure of the cause either) it has
worked fine ever since - at least up until yesterday. I've now noticed
another problem has arisen which I'll likely post a message about later
if I cann't find a solution pretty soon - but it should probably be a
different thread...


-- 
Mike Rambo
mrambo lsd k12 mi us