Gmail Calendar Documents Reader Web more »
Recently Visited Groups | Help | Sign in
Google Groups Home
comp.unix.bsd.openbsd.misc
Message from discussion PF inadequacy: queue download

View parsed - Show only message text

Path: g2news2.google.com!news3.google.com!news.glorb.com!newsfeed2.telusplanet.net!newsfeed.telusplanet.net!newsfeed.telus.net!clgrps13.POSTED!53ab2750!not-for-mail
Newsgroups: comp.unix.bsd.openbsd.misc
From: Steven Schneider <steven_schnei...@telus.net>
Subject: Re: PF inadequacy: queue download
References: <1146315891.156700.262960@j73g2000cwa.googlegroups.com> <slrne5758h.eb6.steven_schneider@gemini.wss-ds.org> <1146353190.392922.127870@i40g2000cwc.googlegroups.com>
Organization: Just a Guy and His Family
X-No-Alan-Connor: Yes
X-Operating-System: OpenBSD 3.9
X-Crypto: GnuPG http://www.gnupg.org/
X-GnuPG-Expiry-Date: 09 October 2007
X-GnuPG-ID: 0x4A330D06
X-GnuPG-Fingerprint: 4AB5 8738 DC7B AAE8 3795 6285 D549 80A2 4A33 0D06
X-Signature-Color: magenta black
Message-ID: <slrne582mo.tup.steven_schneider@gemini.wss-ds.org>
User-Agent: slrn/0.9.8.1 (OpenBSD)
Lines: 29
Date: Sun, 30 Apr 2006 00:54:48 GMT
NNTP-Posting-Host: 198.166.227.91
X-Trace: clgrps13 1146358488 198.166.227.91 (Sat, 29 Apr 2006 18:54:48 MDT)
NNTP-Posting-Date: Sat, 29 Apr 2006 18:54:48 MDT

* kestas....@gmail.com <kestas....@gmail.com> [2006-04-29]:
>> I haven't heard of any firewall that successfully could.  If you're
>> being DDOSd, you're being DDOSd.  No firewall with any special set
>> of rules can improve your bandwidth in that case.  If the pipe is
>> filled, it's filled.
> Yes, if you're being DDoSed then incoming traffic shaping won't do
> anything, but if you're using TCP streams from cooperative hosts you
> can shape incoming traffic very effectively; you drop packets, sender
> realises packets are getting lost, sender slows down sending packets.
> It works when you use the hack of queueing on the internal interface
> when you're using NAT, it clearly works, so why can't you do it on a
> single interface?
>
Obviously, I misunderstood.  It's still true that the queuing
actually occurs on your side of the firewall, and that it has to be
on the outbound traffic. 

Now I might still be wrong, but I think that you want to control 
your machine's ack rate.  Have you looked at 
http://www.benzedrine.cx/ackpri.html?  This guy has some ideas that 
might be applicable to your situation.

You may also want to look at
http://www.bgnett.no/~peter/pf/en/long-firewall.html.

I've found both of these sites to be sources of useful PF info.  :-)

-- 
W. Steven Schneider  <steven_schnei...@telus.net>

Create a group - Google Groups - Google Home - Terms of Service - Privacy Policy
©2009 Google