Rod.. Whitworth wrote:
I have read lots of helpful pf.conf examples that seem to do reasonably complex queueing and that's fine but I am sure there is a simple way to do what I want. No Google lead pointed at someone doing just the task described below. I did STFA here too
In order to demonstrate how slow a webpage looks to a dial-up user (when the browser is behind my pf firewall and there is a 1536/256Kb/s ADSL line to the world) I'd like to be able to reload the pf ruleset with pf.slow which would limit inbound bandwidth by queueing on the internal interface so that e.g. 192.168.1.200 suddenly was restricted to 33 Kb/s and no other LAN host was affected and .200 could not get any more even if all the others were idle.
Doable? Hint? Is RED required? ATM I'm a bit confused about the rich plethora of options in pf's queueing.
Have you tried doing something really simple:
#1) enable altq on $int_if (your internal interface, gateway, etc) #2) setup a bw pipe for the 33kb/s (adslpipe) #3) pass out quick on $int_if from any to .200 keep state queue adslpipe
Do not keep state on incoming on $int_if or you will not be using pass out's keep state (#3) because you already have a state created on the incoming. (.200 -> $int_if)
I did some tests on FreeBSD + pf + altq a while ago that worked ok... you can also play with packet tagging or maybe change pf's settings on how states behave.
The trick is using queueing on the outgoing of an interface. This doesn't make a whole sense for adsl and other stuff because you want to get stuff as fast as possible and where the bw for acks is the limiting factor. BUT, for limiting bad bad boys on your local network, this makes perfectly sense and you can't limit what they get by limiting acks (assuming the problem is dowloading too much)...
MAKE SURE you are using the pass out keep state rule. "pfctl -vsr |grep -A1 @<rulenumber>" is your friend.
BA -- Bruno Miguel Afonso Biological Eng. student D.E.Q. @ I.S.T. - Portugal GnuPG Public key: http://dequim.ist.utl.pt/~bruno/gpg
