Incoming (ingress) traffic shaping on Linux - bw is lower than expected

bw is lower than expected

I think you have to increase burst as well correspondingly.

Is is possible to effectively limit incoming bandwidth?

I'd say you surely can achieve similar effect dropping packets, instead of receving them. For protos like TCP, which have bandwidth self-tuning mechanisms, it would effectively work. Take a look at http://www.linuximq.net/faq.html


Is is possible to effectively limit incoming bandwidth?

NO.

Trying to limit incoming bandwidth is basically trying to limit the flow of a firehose by holding up a board with a hole drilled in it: You will reduce the amount of water that hits you, but you're still being hit by the firehose.

Carrying the firehose analogy further, if you need 100 gallons of water but limit the rate at which it's getting to you (by holding up the board with the hole in it) you're still bearing the brunt of the force of the firehose (traffic coming down your pipe), but not getting most of that water (because only what happens to go through the hole reaches you -- The rest is dropped on the floor by your firewall board).

The effect of blocking all that water is that it takes longer to fill your 100 gallon bucket.
The effect of blocking TCP packets with a firewall is a little worse, because you trigger the remote host's congetion control algorithm which in an ideal world makes it turn down the pressure on the firehose, sometimes substantially lower than you would like it to.

Incidentally this is also why a local firewall can't save you from DoS attacks - you still have to deal with all the traffic, even if it's just to make the decision to ignore it. A DoS attack is unlikely to honor congestion control procedures for obvious reasons.