Transparent squid + torrent = 11,000 states



  • i'm running into an issue with bit torrent and squid transparent mode.

    • with just bit torrent running (transmission client) i get about 1000-1600 states. everything works fine. bit torrent is set to max out connections at 500 (1000 total states +/- a couple hundred). transmission is not configured to use port 80 of course!

    • with just squid transparent mode running, there are usually only a couple hundred states, all http port 80 connections work nicely and are cached nicely.

    if you run bit torrent and squid transparent mode together, the number of states will jump to 11,000-12,000 in less than 30 seconds. when this happens, no port 80 browsing is possible, but other ports which don't go through the proxy will work. this behavior is seen with the latest version of pfsense 2.0 as well as a snap from last Thursday.

    this is a small example of what is in the state table, 90% of it is this:
    tcp 127.0.0.1:80 <- 127.0.0.1:43035 ESTABLISHED:ESTABLISHED
    tcp 127.0.0.1:57993 -> 127.0.0.1:80 ESTABLISHED:ESTABLISHED
    tcp 127.0.0.1:80 <- 127.0.0.1:57993 ESTABLISHED:ESTABLISHED
    tcp 127.0.0.1:61552 -> 127.0.0.1:80 ESTABLISHED:ESTABLISHED
    tcp 127.0.0.1:80 <- 127.0.0.1:61552 ESTABLISHED:ESTABLISHED
    tcp 127.0.0.1:21522 -> 127.0.0.1:80 ESTABLISHED:ESTABLISHED
    tcp 127.0.0.1:80 <- 127.0.0.1:21522 ESTABLISHED:ESTABLISHED

    to remedy this i disable transparent mode and clean the states, or turn of the bit torrent client and clear states.

    anyone have advice on how i can use torrents and transparent mode at the same time?



  • Seems some kind of loop is happening on your firewall.
    Please post your rulesets and nat rules.



  • @rsingh

    I did a test - just for you:

    I am using utorrent and I used a torrent to download ubuntu 10.04.
    I am using squid in transparent mode.

    The states raise from ~50 up to 300-400.

    I didn't change any settings within my torrent client (utorrent).



  • Known problem for me. The easiest method to reproduce this -

    lynx localhost    #or
    fetch http://localhost
    from pfSense.

    Some administrators of domains joke.

    dig some.domain
    some.domain. IN A 127.0.0.1

    Itself was checked. Squid does not have a protection from turning to itself. I added rule into squid.inc:

    
     $rules .= "# Setup squid pass rules for proxy\n";
    +$rules .= "block in quick on lo0 proto tcp from 127.0.0.1 to (lo0) port 80\n";
    

    thus far he helps.



  • i added this silly rule to the top of my floating rules:

    ID Proto Source Port Destination Port Gateway Queue Schedule Description
    [BLOCK] TCP 127.0.0.1 * 127.0.0.1 80 (HTTP) * none

    shortly after adding this (~1-2 minutes) the states dropped from >11,000 to <1,000. http traffic is not being slowed to a crawl.

    so this is a really good workaround but perhaps this should get fixed. ermal, would you like me to just send the whole config file to you?


Log in to reply