Bandwidth Manager rules and Squid

Started by Arthur

Bandwidth Manager rules and Squid   17 August 2009, 10:48

After the recent discussion about Squid and BWM, I reviewed my ruleset and found that I do not follow the manual on that subject.

I have one simple rule per client and do not use a catch all squid rule. The squid mapping is defined in the advanced properties of each rule.
In destination port I did NOT define port 80. So in effect, all traffic goes to Squid but squid only caches http traffic.
I believe this setup is not correct. Please advise.

The manual states: "Whenever you design bandwidth management rules, bear in mind that it only makes sense to redirect HTTP requests to Squid. This is also the reason why we have set destination port to 80 to filter out all other types of traffic. Attempting to route DNS, SMTP, POP3 or any protocol other than HTTP via Squid will fail."

The question is, if the rule specifies port 80 as destination, does that mean that al other (non http traffic) goes trough unlimited?
Or will all other traffic be blocked due to the absence of another rule for that type of traffic?
In other words, do I need two rules, one for the squid mapping and one for all other traffic?
I like to keep one rule per client, if using a general rule for squid, then http traffic will be the same for al users.

On a sidenote, some people appear to map port 443 (https) to squid, seems that this mapping has no effect because https traffic cannot be proxied (men-in-the-middle attack) but caching is perhaps something else. What is the correct procedure, to map 443 to squid or not to map 443 to squid?

SoftPerfect Support forum - Andrew avatar image

Re: Bandwidth Manager rules and Squid   17 August 2009, 21:29

Hi Arthur,

As you correctly understand, redirecting other protocols to Squid is meaningless because it does not know what to do with anything else other than HTTP.

If you make a rule filtering out port 80 only, then unless you have got another catch-all rule, everything goes through unrestricted. The basic rule of the bandwidth manager is that anything is not explicitly banned or limited, goes through freely.

In your case you might have a couple of rules, one for redirecting HTTP and another one for all other traffic, however most administrators also do not want to have two rules per user. In order to use a single rule for both purposes, you will just need a little bit of extra tuning. Simply make a regular rule, something like this:
Source: : Any
Destination: Any : Any
the rest as needed, and specify port 80 as the port suitable for redirection. Hit the Ports button in the Additional Processing group and add it there.

This will result in all traffic to be shaped as you configure this rule, while redirection only occurs on port TCP/UDP ports mentioned in this additional filter. That was made exactly to avoid the need to have more than one rule per user.

As to HTTS/SSL in Squid, it is unable to cache secure web-pages which makes no point in routing SSL traffic via Squid. More details are available here.

Question about rule + Squid.   18 August 2009, 07:56

Thanks for clearing this up Andrew.

In fact, I have my rules set exactly as in your example. I see that "Additional Processing" is just that, the mapping is additional to the normal rule that is already working the way it should.

I have read the lines on SSL from the link you gave me. It appears that Squid does support this type of traffic, but it does not interpret nor process it.
There are some users in my network that are using Hamachi to play online games. Got complaint from the parents and the question if it is possible to block these online games.
After looking at the program, I came to the conclusion that Hamachi must be using port 443 on my network as I have everything else blocked.

I cannot block port 443 ofcourse, but it might be possible to route it via Squid and see if something appears in the logs. This information can be usefull to block Hamachi on a Squid level.

SoftPerfect Support forum - Andrew avatar image

Question about rule + Squid.   18 August 2009, 13:53

Well you can try to block Hamachi by banning this IP address range - (LOGMEIN, INC.). Simply make a blocking rule to this range and that should make the Hamachi clients inoperable.

Reply to this topic

Sometimes you can get the answer faster if you try the forum search and/or have a look at the software user manual to see if your question has already been answered.

Our forum rules are simple:

  • Be polite.
  • Do not spam.
  • If possible, check your spelling and grammar.




A brief and informative title for your message, approximately 4–8 words:


Spam prevention: please enter the following code in the input field below.

 **     **  ********   ********   ********   *******  
 **     **  **     **  **     **     **     **     ** 
 **     **  **     **  **     **     **     **        
 **     **  ********   ********      **     ********  
  **   **   **         **            **     **     ** 
   ** **    **         **            **     **     ** 
    ***     **         **            **      *******