Travis Veazey wrote: >Sorry to keep beating a dead horse here, but I don't understand: >unless a packet matches a DNAT rule, or is part of an already >established connection, or else is being masqueraded and forwarded on, >how would it enter eth1 and get routed out of eth0?
I think what Tom is saying is that the routing is decided before any filtering is applied - and accounting is also done prior to filtering. So packet arrives on eth1, the route is decided - ie it will go out via eth0. At this point, it is accounted for, and only then do the filtering rules get applied to decide if it will be passed or not. So it may well get counted - but then dropped. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ------------------------------------------------------------------------------ BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA Learn about the latest advances in developing for the BlackBerry® mobile platform with sessions, labs & more. See new tools and technologies. Register for BlackBerry® DevCon today! http://p.sf.net/sfu/rim-devcon-copy1 _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
