|
|
comp.unix.bsd.openbsd.misc |
* kestas....@gmail.com <kestas....@gmail.com> [2006-04-29]: Now I might still be wrong, but I think that you want to control You may also want to look at I've found both of these sites to be sources of useful PF info. :-) --
>> I haven't heard of any firewall that successfully could. If you're Obviously, I misunderstood. It's still true that the queuing
>> being DDOSd, you're being DDOSd. No firewall with any special set
>> of rules can improve your bandwidth in that case. If the pipe is
>> filled, it's filled.
> Yes, if you're being DDoSed then incoming traffic shaping won't do
> anything, but if you're using TCP streams from cooperative hosts you
> can shape incoming traffic very effectively; you drop packets, sender
> realises packets are getting lost, sender slows down sending packets.
> It works when you use the hack of queueing on the internal interface
> when you're using NAT, it clearly works, so why can't you do it on a
> single interface?
actually occurs on your side of the firewall, and that it has to be
on the outbound traffic.
your machine's ack rate. Have you looked at
http://www.benzedrine.cx/ackpri.html? This guy has some ideas that
might be applicable to your situation.
http://www.bgnett.no/~peter/pf/en/long-firewall.html.
W. Steven Schneider <steven_schnei...@telus.net>