From owner-freebsd-pf@FreeBSD.ORG Wed Nov 15 13:05:30 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 67A9F16A4D2 for ; Wed, 15 Nov 2006 13:05:30 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.176]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1706E44456 for ; Wed, 15 Nov 2006 12:32:16 +0000 (GMT) (envelope-from ermal.luci@gmail.com) Received: by py-out-1112.google.com with SMTP id f31so110528pyh for ; Wed, 15 Nov 2006 04:32:16 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type; b=P23pmlIZlMjtN+JT4w1rk8iuqehOrlZ92T7O4FQh8iOgVjfZiTqwNcaowZsKb7mbhhbCtxOMIMku5uEFbqRBebJAXhaGWpnEt7O03yeyQGTAVf1d/HbXS//Q+4w4fy5tEdXqiOBINxFWs/LU7OZfw24G3bAbgiLbdxT17P4PJ40= Received: by 10.35.103.12 with SMTP id f12mr3043634pym.1163593569815; Wed, 15 Nov 2006 04:26:09 -0800 (PST) Received: by 10.35.126.2 with HTTP; Wed, 15 Nov 2006 04:26:09 -0800 (PST) Message-ID: <9a542da30611150426qf6bb79cu6b24fa098088d506@mail.gmail.com> Date: Wed, 15 Nov 2006 13:26:09 +0100 From: "=?ISO-8859-1?Q?Ermal_Lu=E7i?=" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: how to limit bandwidth for incoming traffic that has destination to gateway itself X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Nov 2006 13:05:30 -0000 You have to change from: pass out on $ext_if proto tcp from to port ssh flags S/SAFR modulate state queue(std_out, iac_out) pass out on $ext_if proto tcp from to port $iac_ports flags S/SAFR modulate state queue(iac_out, ack_out) to: pass in on $ext_if proto tcp from to port ssh flags S/SAFR modulate state queue(std_out, iac_out) pass in on $ext_if proto tcp from to port $iac_ports flags S/SAFR modulate state queue(iac_out, ack_out) Since you are tracking state with S/SAFR that rule can keep track only of connetion initiated by $gateway itself. If you use in it will track the connection generated by outside peers. Don't confuse the concept that ALTQ shapes only outgoing connections with the keep state one. Hopes it helps.