On Wed, Sep 14, 2011 at 1:03 PM, Tom Eastep <[email protected]> wrote: > On Wed, 2011-09-14 at 12:51 -0800, Travis Veazey wrote: > >> >> Ha! Well, doesn't that just make things so very easy? >> >> And just to clarify, this does not apply -- at least not in the same >> way -- to accounting rules that look at packets which e.g. enter on >> eth0 and leave on eth1, right? For example, the rule: >> >> traffic:COUNT - eth1 eth0 >> >> would only count packets that actually get routed through (i.e. get >> accepted and routed), and would not count packets that hit eth1 but >> are then dropped or rejected, right? > > It counts *all* packets that enter via eth1 and get routed out of eth0, > regardless of their subsequent disposition. One more time - Accounting > occurs *before any filtering*. > > -Tom
Sorry to keep beating a dead horse here, but I don't understand: unless a packet matches a DNAT rule, or is part of an already established connection, or else is being masqueraded and forwarded on, how would it enter eth1 and get routed out of eth0? Or is the default case that all packets arriving at the external (i.e. non-masqueraded) interface get routed to the internal one, get counted via accounting rules, and *then* we look at which ones actually should get passed through? Or am I just completely misunderstanding what you mean when you say "filtering"? ------------------------------------------------------------------------------ BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA Learn about the latest advances in developing for the BlackBerry® mobile platform with sessions, labs & more. See new tools and technologies. Register for BlackBerry® DevCon today! http://p.sf.net/sfu/rim-devcon-copy1 _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
