Traffic Shaping with pf ...

[Jeremie Le Hen]

Hi, Daniel, Matthew,

On Thu, Nov 17, 2005 at 12:35:37AM +0100, Daniel Hartmeier wrote:
> [...]
>
> If you want to do this with ALTQ, you can do so by limiting outgoing
> packets on the "other" interface, assuming the box is forwarding all
> packets between two interfaces. If a browser (on a separate local box)
> is downloading a file from an external web server _through_ the ALTQ
> box, you rate-limit packets going out through the internal interface.
> Every packet coming in on the external interface obviously goes out
> through the internal interface, hence rate-limiting outgoing packets on
> the internal interface has the same effect as rate-limiting incoming
> packets on the external interface.
> 
> This does not work if the client is on the ALTQ box itself, obviously
> (there is no "other" interface to rate-limit on). In this case you're
> facing a limitation of ALTQ itself. You might have to move ALTQ onto an
> additional intermediate box, just so you do have a second interface. I
> don't think there are any plans to introduce incoming queues in ALTQ.

First, thank you for this very clear explanation.  I'm going to
bookmark it and will serve it as a reference whenever this kind
of question arises.

Next, I would like to add a small note on Dummynet, for the sake of
completeness.  It does not have the same capabilities as ALTQ, but
it is very efficient in the latter case you described (non-DoS) and
can work on both inbound and outgoing paths (actually, it does not
even need to be bound to a particular interface, which may be worth
if you have multiple internal interfaces and this also means this
can be used to rate limit connections with the box itself).

Regards,
-- 
Jeremie Le Hen
< jeremie at le-hen dot org >< ttz at chchile dot org >