Date: Wed, 15 Nov 2006 13:26:09 +0100 From: "=?ISO-8859-1?Q?Ermal_Lu=E7i?=" <ermal.luci@gmail.com> To: freebsd-pf@freebsd.org Subject: Re: how to limit bandwidth for incoming traffic that has destination to gateway itself Message-ID: <9a542da30611150426qf6bb79cu6b24fa098088d506@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
You have to change from: pass out on $ext_if proto tcp from <LH> to <Ext> port ssh flags S/SAFR modulate state queue(std_out, iac_out) pass out on $ext_if proto tcp from <LH> to <Ext> port $iac_ports flags S/SAFR modulate state queue(iac_out, ack_out) to: pass in on $ext_if proto tcp from <LH> to <Ext> port ssh flags S/SAFR modulate state queue(std_out, iac_out) pass in on $ext_if proto tcp from <LH> to <Ext> port $iac_ports flags S/SAFR modulate state queue(iac_out, ack_out) Since you are tracking state with S/SAFR that rule can keep track only of connetion initiated by $gateway itself. If you use in it will track the connection generated by outside peers. Don't confuse the concept that ALTQ shapes only outgoing connections with the keep state one. Hopes it helps.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9a542da30611150426qf6bb79cu6b24fa098088d506>