On 14/07/06, Jeff Quast <[EMAIL PROTECTED]> wrote:
>
> On 7/14/06, Bernd Schoeller <[EMAIL PROTECTED]> wrote:
> > On Thu, Jul 13, 2006 at 08:53:31PM -0400, Jeff Quast wrote:
> > > You cannot control the speed at which packets arrive on an interface.
> > Are you sure?
>
> I am sure. If it sounds unreasonable, get a live firehose, and see if
> you can control the amount of water received in your mouth.
>
> I don't think your question is entirely clear.. Please note there is
> also a pf mailing list http://www.benzedrine.cx/mailinglist.html . You
> state you want to control the download speed on a LAN, implying all
> incoming and outgoing packets are on this LAN. If this is the case put
> pf+altq on each machine, and queue outgoing packets. Seems simple
> enough to me.
>
> From the faq:
>
> "PF will record the queue in the state table entry so that packets
> traveling back out fxp0 that match the stateful connection will end up
> in the ssh queue. Note that even though the queue keyword is being
> used on a rule filtering incoming traffic, the goal is to specify a
> queue for the corresponding outgoing traffic; the above rule does not
> queue incoming packets. "
You may not be able to control the rate the packets hit the firewall with,
but you can control the rate they exit on the other side.
Doing what you want to accomplish can be done, read the pf.conf man page
again a few times and consider that state is created for each interface.
An inbound keep state rule on one interface can specify which queue the
return packets
should end up in, and outbound keep state rule on the other side can specify
which queue the packets should use there.
Now it's all down to rule-set design, that is where the complexity, and in
the
end the strenght. of PF is.
/Tony
--
Tony Sarendal - [EMAIL PROTECTED]
IP/Unix
-= The scorpion replied,
"I couldn't help it, it's my nature" =-
