Correct, once the packets are transmitted to you, its too late to apply QoS. The only thing you can control is your outbound requests which as it happens has a directly (although not linear) relationship to the amount of traffic sent back to you. This article outlines it brilliantly and is a must read for anyone using QoS on most consumer grade equipment:
That said, classification of traffic is a much more challenging problem than QoS is and is what really needs to be addressed. This comes from a "Network Guy" on a 4/1Mbps DSL connection who works from home and has to compete with his kids playing XBOX and streaming Netflix so I play with this a lot. At this point in time, it seems like Palo Alto has the best classification engine out there and that with their QoS polcies may be the best solution around but I haven't had a chance to play with it.
(FWIW I too run Tomato Shibby on an Asus N66U)