On Wed, Mar 07, 2007 at 02:36:35PM +0800, Edy wrote: > Hi, > > I am wondering if anyone has sample config on limiting bandwidth per > source IP? > For example, limiting an IP 192.168.1.2 for service http to 30Kb/sec
if you want to limit outgoing bandwidth per incoming source IP, you need to assign the outgoing traffic to a queue unique to that IP. so in the example there, you'd need a CBQ or HFSC queue that your ruleset only referenced with respect to that individual host. block inet proto tcp from any to port 80 pass on $ext inet proto tcp from any to port 80 keep state queue q_others pass on $ext inet proto tcp from 192.168.0.0/16 to port 80 keep state queue q_internal pass on $ext inet proto tcp from 192.168.1.2 to port 80 keep state queue q_192_168_1_2 pass on $ext inet proto tcp from 192.168.1.3 to port 80 keep state queue q_192_168_1_3 and then you set up each of those queues in the altq section however you want, which means you can hit the "number of individual defined queues" limit if you want to do this on a large scale. i don't remember offhand what the limits are, but i think you can find them somewhat easily in the .c or .h files. something like 64 or 256 last i recall... if 192.168.1.2 in your situation is a host behind the pf(4) firewall, and you want to limit *incoming* bandwith from the world... that's a whole other discussion that's all over the archives, but basically you need to queue outbound on the interface on the firewall that is facing the host in question, instead of the world facing one, and the caveat is that of course you don't have control over the rate the world sends data to the firewall, but rather, only over the rate at which the firewall forwards it to the internal host. i think i made a big post at one time giving an analogy about this using an animal shelter and the rate at which people want to drop puppies off at the shelter versus the rate that the shelter gives them out to other people, or something like that.. search the misc@ archives for puppies, probably find it... -- jared
