From owner-freebsd-pf@FreeBSD.ORG  Fri Aug 20 05:22:54 2010
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id A25471065698
	for <freebsd-pf@freebsd.org>; Fri, 20 Aug 2010 05:22:54 +0000 (UTC)
	(envelope-from bc979@lafn.org)
Received: from zoom.lafn.org (zoom.lafn.org [206.117.18.8])
	by mx1.freebsd.org (Postfix) with ESMTP id 869F28FC1C
	for <freebsd-pf@freebsd.org>; Fri, 20 Aug 2010 05:22:54 +0000 (UTC)
Received: from [10.0.1.4] (pool-71-109-159-124.lsanca.dsl-w.verizon.net
	[71.109.159.124]) (authenticated bits=0)
	by zoom.lafn.org (8.14.3/8.14.2) with ESMTP id o7K5BXnc066808
	(version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO)
	for <freebsd-pf@freebsd.org>; Thu, 19 Aug 2010 22:11:33 -0700 (PDT)
	(envelope-from bc979@lafn.org)
From: Doug Hardie <bc979@lafn.org>
Content-Type: text/plain; charset=us-ascii
Message-Id: <EDE420E0-5E9A-4FB2-A4E3-07FEF5BE81CB@lafn.org>
Date: Thu, 19 Aug 2010 22:11:32 -0700
To: freebsd-pf@freebsd.org
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Apple Message framework v1081)
X-Mailer: Apple Mail (2.1081)
X-Virus-Scanned: clamav-milter 0.95.3 at zoom.lafn.org
X-Virus-Status: Clean
Subject: Filter Question
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Aug 2010 05:22:54 -0000

I have a situation where one of the web servers needs to have its output =
throttled.  I have pf with ALTQ CBQ running.  The pf.conf file contains:

altq on $ext_if cbq bandwidth 100% queue {normal, web}
        queue normal bandwidth 99% cbq(default)
        queue web bandwidth 10Kb cbq

pass out log on $ext_if proto tcp to any
pass log proto tcp from any to any port 8001 queue web
pass log proto tcp from any port 8001 to any queue web

It seems to work.  Requests to the web server at port 8001 are logged =
and the output is definitely throttled although there are never any =
packets shown for the last rule since the original request generates =
state which seems to effectively bypass rule processing for the response =
from the web server.

The throttle on the input is pretty much meaningless but doesn't seem to =
cause any problems.  Without it in the next to last rule, the throttle =
is never invoked.  Likewise I have not found a way to get the output =
logged.  Adding no state to the next to last rule has no effect.  I =
suspect that the last rule can be removed.

Without the next to last rule, nothing is throttled.

Is there a better way to do this?=