Gmail Calendar Documents Reader Web more »
Recently Visited Groups | Help | Sign in
Google Groups Home
comp.unix.bsd.openbsd.misc
+ new post
About this group
Subscribe to this group
This is a Usenet group - learn more
Message from discussion PF inadequacy: queue download
The group you are posting to is a Usenet group. Messages posted to this group will make your email address visible to anyone on the Internet.
Your reply message has not been sent.
Your post was successful
 
From:
To:
Cc:
Followup To:
Add Cc | Add Followup-to | Edit Subject
Subject:
Validation:
For verification purposes please type the characters you see in the picture below or the numbers you hear by clicking the accessibility icon. Listen and type the numbers you hear
 
kestas....@gmail.com  
View profile  
 More options Apr 30 2006, 9:26 am
Newsgroups: comp.unix.bsd.openbsd.misc
From: kestas....@gmail.com
Date: 29 Apr 2006 16:26:30 -0700
Local: Sun, Apr 30 2006 9:26 am
Subject: Re: PF inadequacy: queue download
Reply to author | Forward | Print | View thread | Show original | Report this message | Find messages by this author
> I haven't heard of any firewall that successfully could.  If you're
> being DDOSd, you're being DDOSd.  No firewall with any special set
> of rules can improve your bandwidth in that case.  If the pipe is
> filled, it's filled.

Yes, if you're being DDoSed then incoming traffic shaping won't do
anything, but if you're using TCP streams from cooperative hosts you
can shape incoming traffic very effectively; you drop packets, sender
realises packets are getting lost, sender slows down sending packets.
It works when you use the hack of queueing on the internal interface
when you're using NAT, it clearly works, so why can't you do it on a
single interface?

> I don't use IPFW, so I can't speak on its specific technical merits.
> Maybe you should ask the IPFW devs how they're able to perform this
> magic.  Last I heard, the PF devs were technicians, engineers, and
> scientists, not a single magic-user among them. (IRL anyhow.  :-))

There's no magic about it :-P

> I think that you _can_ configure PF to do this, but I believe that
> what the developers are trying to say is, `What's the point'?  We're
> talking about trying to control traffic _before_ it hits your
> interface.  Even if the remote sending host is well-behaved enough
> to slow down its sending rate, it still has to interact with PF
> before PF can decide whether to pass the packets, drop the packets,
> or tell the sending host to `bugger off'.
> So, you can queue the download traffic, but that really has a minor
> to no effect on traffic outside of your firewall.  The queuing
> actually occurs on _your_ side of the external interface.

As I explained above shaping download traffic works great, but only
using the two interface hack. People on other boards are telling me I
should put another box beetween the LAN and the internet so I can use
the two interface hack for all traffic, but this seems stupid; if it
works over two interfaces so it can certainly work on one interface, so
why doesn't it?

Kesas


    Reply to author    Forward  
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Create a group - Google Groups - Google Home - Terms of Service - Privacy Policy
©2009 Google