An important reason to be able to do incoming shaping is that you may lose
information while routing, which doesn't help you with shaping on egress.
For example, to shape traffic going via a proxy server, outgoing.

There is no way to recognize on ppp0 that traffic was generated by an
internal host who sent it to eth0, where it was packaged by a proxy, and
sent out over ppp0.

With ingress shaping I would be able to do that.

So in short - if you like CBQ, HTB etc on egress, and you accept that
informationloss occurs between ingress and egress, you want to be able to
shape ingress.

Regards,

bert

Obviously ...
... the only other option, besides rejection of course ;-)
I use application-level software for that (iplimit in conjunction with
tcpserver allows me to limit per-service connection rates on a per-source
basis).
I agree with the Unix-way of doing things usually, not the emacs way --
don't build it into the program if it works just as well outside the
program; thus iplimit. Programs that accept their own connections,
like Apache, can't use an external program of course (yet), so it would
make sense to build this in although I proxy my incoming connections
through a Squid service set up as an accelerator with bandwidth pools
turned on.
I've got around that in some situations by teaching myself to treat the
gateway/firewall box as a non-service box -- it runs nothing but the
firewalls, tunneling, forwarding and shaping. This allows it to work as
desired (all traffic goes out one of the two interfaces; none goes
to the local host).

Bert didn't think it was so obvious.
(I don't understand yet what squid is doing.)
There are benefits to doing this sort of thing at the firewall.
For instance, it works for servers running different OS's.
And once you have the control working for your inside network it
seems unreasonable to have to change the implementation in order
to move a server to the firewall machine.

(Another advantage of doing it at the firewall is that you can then
control the aggregate of traffic to different hosts. But the ability
to shape traffic to the local host would not be enough to retain that
advantage when moving a server to the firewall.)
I'm not sure what the emacs reference was all about. I'm not
suggesting building the limit into the server, just the opposite.
(My solution also works with apache.)
That's a solution dictated by the necessity imposed by our inability
to shape traffic to the local host. Clearly there are times when
you'd rather run something on the firewall. There are also times
when you have to - programs that are supposed to communicate with the
outside world to control the firewall. It's just as important (maybe
more) to shape the traffic to those programs as to others.

Ok, so I think it's reasonable to view the outgoing http client
packets as coming from the squid machine, and they can/should be
shaped/accounted as such.

That brings us back to my original argument that it's not necessary
to shape incoming traffic that is to be forwarded, since that traffic
can be shaped on the way out. This is not strictly true, since the
work at input could save some work between the input and output, but
it's a pretty good approximation. On the other hand, if you accept my
argument that it's useful to shape traffic to the local machine, then
you agree with me that it would be worth while to add shaping at
input, in which case the case above that I suggest is unnecessary
comes for free.
Attackers generally don't really want to communicate with you. They
just want to prevent others from doing so. In any case, I'm trying to
protect legitimate communication even when under an attack by that
sort of attacker.