Re: SFTP + pf + queueing: seemingly incorrect bandwidth limiting

[kami petersen <kokamomi_(_at_)_gueststars_(_dot_)_net>]

Christopher Snell wrote:
> --------begin clip----------------
> % scp -P 40022 bigfile me_(_at_)_10_(_dot_)_0_(_dot_)_0_(_dot_)_22:~/
> cjs_(_at_)_10_(_dot_)_0_(_dot_)_0_(_dot_)_22's password: 
> bigfile                                         1% 2112KB 422.3KB/s   05:35 ETA
> -----------end clip----------------

a. if this means your pushing bigfile from a machine outside $ext_if 
then there's nothing you can do about queing. queing can only happen on 
the way out of an interface.

b. if this means your pushing bigfile from inside $ext_if to an outside 
machine, you need something like this as well:

pass out on $ext_if from any to 10.0.0.22 port 40022 \
	flags S/SA keep state queue (ssh_bulk, ssh_interactive)


> --------begin clip----------------
> ext_if = "xl0"
> priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12 }"
> icmp_types = "echoreq"
> scrub in all
> scrub reassemble tcp
> altq on $ext_if cbq bandwidth 50Kb queue { std, ssh, http }
> queue std priority 2 cbq(default)
> queue http priority 1
> queue ssh bandwidth 10Kb { ssh_interactive, ssh_bulk } 
> queue ssh_bulk priority 1
> queue ssh_interactive priority 3
> block all 
> pass quick on lo0 all
> antispoof for $ext_if inet
> block drop in  quick on $ext_if from $priv_nets to any
> block drop out quick on $ext_if from any to $priv_nets
> pass in on $ext_if inet proto tcp from any to ($ext_if) \
>      port 40022 queue (ssh_bulk, ssh_interactive) keep state
> pass in on $ext_if inet proto tcp from any to ($ext_if) \
>      port 113 flags S/SA keep state
> pass in inet proto icmp all icmp-type $icmp_types keep state
> pass in on $ext_if inet proto tcp from any to ($ext_if) port 80 queue http keep 
> state
> pass out on $ext_if proto tcp from $ext_if to any queue default flags S/SA keep 
> state
> pass out on $ext_if proto { udp, icmp } from ($ext_if) to any queue default keep
>  state