Date: Sun, 20 Nov 2005 20:59:06 +0100 From: Jeremie Le Hen <jeremie@le-hen.org> To: Daniel Hartmeier <daniel@benzedrine.cx> Cc: Matthew Grooms <mgrooms@seton.org>, freebsd-pf@freebsd.org Subject: Re: Traffic Shaping with pf ... Message-ID: <20051120195906.GZ5197@obiwan.tataz.chchile.org> In-Reply-To: <20051116233537.GT29615@insomnia.benzedrine.cx> References: <437BB031.9090504@seton.org> <20051116233537.GT29615@insomnia.benzedrine.cx>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, Daniel, Matthew, On Thu, Nov 17, 2005 at 12:35:37AM +0100, Daniel Hartmeier wrote: > [...] > > If you want to do this with ALTQ, you can do so by limiting outgoing > packets on the "other" interface, assuming the box is forwarding all > packets between two interfaces. If a browser (on a separate local box) > is downloading a file from an external web server _through_ the ALTQ > box, you rate-limit packets going out through the internal interface. > Every packet coming in on the external interface obviously goes out > through the internal interface, hence rate-limiting outgoing packets on > the internal interface has the same effect as rate-limiting incoming > packets on the external interface. > > This does not work if the client is on the ALTQ box itself, obviously > (there is no "other" interface to rate-limit on). In this case you're > facing a limitation of ALTQ itself. You might have to move ALTQ onto an > additional intermediate box, just so you do have a second interface. I > don't think there are any plans to introduce incoming queues in ALTQ. First, thank you for this very clear explanation. I'm going to bookmark it and will serve it as a reference whenever this kind of question arises. Next, I would like to add a small note on Dummynet, for the sake of completeness. It does not have the same capabilities as ALTQ, but it is very efficient in the latter case you described (non-DoS) and can work on both inbound and outgoing paths (actually, it does not even need to be bound to a particular interface, which may be worth if you have multiple internal interfaces and this also means this can be used to rate limit connections with the box itself). Regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051120195906.GZ5197>