Limiting Individual User Upload w/ PF+ALTQ

Girish Venkatachalam girishvenkatachalam at gmail.com
Thu Mar 27 19:49:09 PDT 2008


On 18:18:09 Mar 27, Joe Ryan wrote:
> I am trying to setup traffic shaping on our network. I was wondering if it
> was possible to limit a users download bandwidth and upload bandwidth within
> the same state connection. For example, say a user connects to an external
> FTP site and does some uploading and downloading. Can I allow him to
> download at 1Mb but limit his upload to 500Kb? 

Easy with pf.

> As I understand the packet filtering of PF, the first packet creates a state 
> and the rest are then ignored by the filtering software. 

Then your understanding is wrong.

> If this is true, the users first packet
> will be inbound on the internal interface which will be queued for download
> speed. This makes sense to me when you want to queue the entire connection
> but how do I then do a separate queue on the traffic coming back?
> 

What happens is that maintaining state enhances security and does not
reduce it as people often think.

Matching states is several orders of magnitude faster, more efficient
and secure than matching every packet with the thousand firewall rules.

Anyway that is a digression.

You want to limit speeds? Only upload speeds?

Use the HFSC queue or CBQ queue of pf.

You can specify the direction as "in" or "out". So pf gives you enough
granularity for restricting either inbound or outbound traffic
(downloads and uploads).

The only caveat is that you will need to invest some time and effort in
figuring out how queuing disciplines work. No big deal if you can read
thro' the documentation.

Here is a site that can help you.

http://www.calomel.org/pf_hfsc.html

Thanks.

-Girish


More information about the freebsd-questions mailing list