Hi, Daniel, Matthew, On Thu, Nov 17, 2005 at 12:35:37AM +0100, Daniel Hartmeier wrote: > [...] > > If you want to do this with ALTQ, you can do so by limiting outgoing > packets on the "other" interface, assuming the box is forwarding all > packets between two interfaces. If a browser (on a separate local box) > is downloading a file from an external web server _through_ the ALTQ > box, you rate-limit packets going out through the internal interface. > Every packet coming in on the external interface obviously goes out > through the internal interface, hence rate-limiting outgoing packets on > the internal interface has the same effect as rate-limiting incoming > packets on the external interface. > > This does not work if the client is on the ALTQ box itself, obviously > (there is no "other" interface to rate-limit on). In this case you're > facing a limitation of ALTQ itself. You might have to move ALTQ onto an > additional intermediate box, just so you do have a second interface. I > don't think there are any plans to introduce incoming queues in ALTQ.
First, thank you for this very clear explanation. I'm going to bookmark it and will serve it as a reference whenever this kind of question arises. Next, I would like to add a small note on Dummynet, for the sake of completeness. It does not have the same capabilities as ALTQ, but it is very efficient in the latter case you described (non-DoS) and can work on both inbound and outgoing paths (actually, it does not even need to be bound to a particular interface, which may be worth if you have multiple internal interfaces and this also means this can be used to rate limit connections with the box itself). Regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org > _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[EMAIL PROTECTED]"