From owner-freebsd-questions@FreeBSD.ORG Fri Mar 28 02:49:09 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2881D106566C for ; Fri, 28 Mar 2008 02:49:09 +0000 (UTC) (envelope-from girishvenkatachalam@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.241]) by mx1.freebsd.org (Postfix) with ESMTP id CBA5C8FC16 for ; Fri, 28 Mar 2008 02:49:08 +0000 (UTC) (envelope-from girishvenkatachalam@gmail.com) Received: by an-out-0708.google.com with SMTP id c14so16911anc.13 for ; Thu, 27 Mar 2008 19:49:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:received:date:from:to:subject:message-id:reply-to:mail-followup-to:references:mime-version:content-type:content-disposition:in-reply-to:user-agent; bh=gIBFnwV0bfd0pxPV0pNKgoSFKeOgFIzE+z5LFYa6gr4=; b=aB0EEJ2JvuFDhcx/uxJhmqLFsY1UVRPpWBeInGf7lo/0DJ1/Fao7nx+ozWbk9slqBdL+lWnsuS53YUxFmQ6NJ4APusbW4ZhzFMgcPVhLN8UwOFY0eqCh6GtL0sqBqX8K9xRGigvtzKgGTnOCQzwPt/5iH+C5rC65rrki3C5MMV4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=date:from:to:subject:message-id:reply-to:mail-followup-to:references:mime-version:content-type:content-disposition:in-reply-to:user-agent; b=ESV/+Wx0xZE1AlZ9Mzvs3UeqqiG9m9hOx5AgPtnySMuT4G4iMlX5DsHWurcKcaSUd6/n+up7vlEaZ5/Y/RIekH+GNRT2kMj8Hn7/Qy9Z+U1QagpmEdPm19BtWKpVz1sg1ZjrB6iA3kp6IAvqp20E2WP2tUzmnS9sW/06OW1uFUM= Received: by 10.100.112.9 with SMTP id k9mr5224919anc.78.1206672539700; Thu, 27 Mar 2008 19:48:59 -0700 (PDT) Received: from saraswathy.madambakam.org ( [59.92.53.90]) by mx.google.com with ESMTPS id 34sm1590387agc.32.2008.03.27.19.48.57 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 27 Mar 2008 19:48:59 -0700 (PDT) Received: by saraswathy.madambakam.org (Postfix, from userid 1002) id E42D739FDD3; Fri, 28 Mar 2008 08:18:53 +0530 (IST) Date: Fri, 28 Mar 2008 08:18:53 +0530 From: Girish Venkatachalam To: freebsd-questions@freebsd.org Message-ID: <20080328024853.GA28202@saraswathy.madambakam.org> Mail-Followup-To: freebsd-questions@freebsd.org References: <32e5d9700803271518r43c2653av4618cbd78b9bfc7d@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <32e5d9700803271518r43c2653av4618cbd78b9bfc7d@mail.gmail.com> User-Agent: Mutt/1.5.16 (2007-06-09) Subject: Re: Limiting Individual User Upload w/ PF+ALTQ X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: girishvenkatachalam@gmail.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Mar 2008 02:49:09 -0000 On 18:18:09 Mar 27, Joe Ryan wrote: > I am trying to setup traffic shaping on our network. I was wondering if it > was possible to limit a users download bandwidth and upload bandwidth within > the same state connection. For example, say a user connects to an external > FTP site and does some uploading and downloading. Can I allow him to > download at 1Mb but limit his upload to 500Kb? Easy with pf. > As I understand the packet filtering of PF, the first packet creates a state > and the rest are then ignored by the filtering software. Then your understanding is wrong. > If this is true, the users first packet > will be inbound on the internal interface which will be queued for download > speed. This makes sense to me when you want to queue the entire connection > but how do I then do a separate queue on the traffic coming back? > What happens is that maintaining state enhances security and does not reduce it as people often think. Matching states is several orders of magnitude faster, more efficient and secure than matching every packet with the thousand firewall rules. Anyway that is a digression. You want to limit speeds? Only upload speeds? Use the HFSC queue or CBQ queue of pf. You can specify the direction as "in" or "out". So pf gives you enough granularity for restricting either inbound or outbound traffic (downloads and uploads). The only caveat is that you will need to invest some time and effort in figuring out how queuing disciplines work. No big deal if you can read thro' the documentation. Here is a site that can help you. http://www.calomel.org/pf_hfsc.html Thanks. -Girish