Hi all. I recently installed a service-policy on my PIX to police inbound http responses from the Internet. Although I got it to work, in order to do so, I had to apply it to the inside interface of my PIX and set the source port to http? This didn't make any sense to me.
This seems to do the opposite to what I want. But it works. When i applied it to the outside interface, it didnt work ('sh service-policy police' showed the counter didn't increment for traffic that was clearly exceeding the service policy). My mind is telling me that this rule is actually limiting my browsers responses such as POST data. But my browsing experience is telling me that its doing what I wanted it to do. I can't make any sense of it.
Secondly, I'm curious to know if a policy to police data that is on the wire already is even worthwhile. If it is implemented properly, and enough packets are dropped, then I suppose for tcp, the far end would back off and operating according to the rules of the protocol. But the packet was already on the wire. Dropping it seems stupid because if you are paying for bandwidth based upon usage, you are going to be paying twice because you dropped the packet to tell the sender to back off, now you have to receive the packet again. Can anybody clear these issues up for me?
Code:
access-list limit_traffic extended permit tcp any eq [URL unfurl="true"]www any[/URL]
access-list limit_traffic extended permit tcp any object-group ftp-protocol any
class-map limit_traffic
match access-list limit_traffic
policy-map limit_traffic
class limit_traffic
inspect ftp
police 1048500 1500
service-policy limit_traffic interface inside
This seems to do the opposite to what I want. But it works. When i applied it to the outside interface, it didnt work ('sh service-policy police' showed the counter didn't increment for traffic that was clearly exceeding the service policy). My mind is telling me that this rule is actually limiting my browsers responses such as POST data. But my browsing experience is telling me that its doing what I wanted it to do. I can't make any sense of it.
Secondly, I'm curious to know if a policy to police data that is on the wire already is even worthwhile. If it is implemented properly, and enough packets are dropped, then I suppose for tcp, the far end would back off and operating according to the rules of the protocol. But the packet was already on the wire. Dropping it seems stupid because if you are paying for bandwidth based upon usage, you are going to be paying twice because you dropped the packet to tell the sender to back off, now you have to receive the packet again. Can anybody clear these issues up for me?