Ubuntu Internet Filter is Sloooooow...

Discussion in 'Server Operation' started by Tyiell, Mar 23, 2010.

  1. Tyiell

    Tyiell New Member

    Hi all,

    Basically I have, at length and with the help of serveral guides written by people who know far more about linux that me, built an Intenet Filter using squid and dansguardian running on Ubuntu (desktop - not the server edition). It works fine, we use a little program on the client called smoothwallIDT (no relation to the smoothwall products themselve I'm told) that basically wraps the username and computer details in the IDENT protocal. DansGuardian can then read it and give appropriate group access (banned, moderate filtering, heavy filtering, unbanned).

    The trouble has been that the idt program sometimes doesn't load on boot and so users are not getting internet. So this time I built the filter, bound it to the domain using winbind, samba, kerberos, squid and dans, and with much fiddling have fudged it to authenticate directly from Active Directory using NTLM.

    All well and good - this does actually work. But it is unusably slow. It never takes less than 5 minutes to load google. Yahoo is timed at 9 minutes. The filter is designed to authenticate using either IDENT or NTLM, so if the idt program is running it uses that intead. In that case, it works fine and loads in seconds.

    Now admittedly I'm not running this system on a proper server, just a desktop workstation. But it is a brand new desktop, an HP dc5800, C2D 3GHz, 2 GB ram, etc. And it is just me on my lone computer having my internet filtered to test it, rather than the whole school. So I don't think it has any excuse to be this slow!!

    As I understand it, ntlm_auth uses a handshake protocol to authenticate, but nothing I have read implies that it should be this slow. If I swap over and make people use this, they will thing that we just downgraded to dial-up modems

    Any thoughts on what I could do to speed things up?

    Many thanks!!
  2. sjau

    sjau Local Meanie Moderator

    what do you actually need to filter? Wouldn't be enough to just setup squid properly and require all traffic going through there?
  3. Tyiell

    Tyiell New Member

    It's a secondary school network so we have responsibilities to restrict all non-eduacational content. The trouble is, educational content is quite an odd range - research in travel & tourism for example requires all sorts of sites unblocked!! I also need to be able to report on students by user id and computer name - showing what sites they have visited and what sites they have tried to visit.

    So basically I need something more sophisticated than Squid. Currently I use dansguardian to provide content filtering with banned phrases, black/white/greylists, etc. And I use the Ident wrapper on the windows clients to identify them to the ubuntu filter. Trouble is, the wrapper often doesn't start on boot, and students love to get out of lessons even if it's just to complain about their internet no working - so trying to teach them how to start the wrapper is not working.

    So obviously automatic authentication with ntlm would be ideal, but over 5 minutes for google to load isn't. Hope that helps :)
  4. Tyiell

    Tyiell New Member

    Ok, it's all fixed and running smoothly now.

    Not entirely sure why (as is so often the case when I troubleshoot in Linux) - I just changed things that looked suspicious until I either broke it completely or fixed it. Guess I got lucky this time! ;)

    Seriously though, should anyone stumble over this and be stuck at the exact same point - I think it was simply that it didn't like having more than one form of authentication - one of the changes I made that seemed to make it work was the removal of the ident plugin.

    Also I noticed that on restarting winbind the permissions are set wron on the /var/run/samba/winbindd_privileged file - the group needs to be set to "proxy" and the group needs write access.

    Viola :D

Share This Page