On Thu, Apr 22, 2004 at 09:21:51AM +0200, Per-Olov Sjöholm wrote: > > If you have a std firewall not set up as a bridge everything is clear > (shape on the outgoing interface).
> But if you want to shape traffic on both directions on a bridge ? so you're asking two questions at once it seems? yeah, std firewall and you wanna queue your upload, shape on ISP-facing interface. if you want to shape traffic on both directions, you can approach that by shaping your upload on ISP-facing iface and shaping download on LAN-facing iface. as far as shaping both on a bridge: > Let say fxp1 is on the outside and fxp0 on the inside. ... > Will you then pass everything in both directions on fxp0 and do ALL rules > and shaping on fxp1 no matter of direction? > Will the shaping work in the bridge case for traffice coming IN to fxp1 ? > Is there any guidelines for bridge setups with PF ? > What is the wise way in this setup ? i really don't know if the scenario is any different for a bridge, but i do queueing on both packets from my LAN to the world ( upload ) and also on the LAN-facing (internal) interface, queueing on packets which are either between the firewall and a LAN host as one set of queues ( for 100Mb ), and for packets which are from the world and going back to a LAN host ( for my ADSL download ). for things like ftp proxy, that would normally match firewall<->LAN rules, so i make a special rule for 'from firewall to lanhost user proxy' which queues it to the "external/download" queue on the internal iface. jared -- [ openbsd 3.5 GENERIC ( mar 26 ) // i386 ]
