On Wed, Jul 23, 2003 at 05:35:05PM -0700, Trevor Talbot wrote: > I meant in automatic terms. There have been requests for things like > "all hosts in this netblock have a limit of N kb/s each". This can be > solved with a bit of scripting, but some of the resulting rules that > have been posted have been scary in length :)
I misread, and felt some wierd urge to defend ALTQ's honor. Rulesets can get scary in length, that seems to be what happens when you are regulating large, complicated networks. I have yet to see a tool that allows me to manage that as well as pf does. > PF opens up some neat possibilities for future work on the conditioner, > since it no longer makes sense to tie it directly to an interface. I can see the potential, absolutely. Just not sure what to do, say, tomorrow, when some of my gateway's inbound interfaces get sacked by greedy tcp connections -- since I can't regulate that well on the other side (outbound, natted). matthew
