On Wed, 2011-09-14 at 13:14 -0800, Travis Veazey wrote: > Sorry to keep beating a dead horse here, but I don't understand: > unless a packet matches a DNAT rule, or is part of an already > established connection, or else is being masqueraded and forwarded on, > how would it enter eth1 and get routed out of eth0? Or is the default > case that all packets arriving at the external (i.e. non-masqueraded) > interface get routed to the internal one, get counted via accounting > rules, and *then* we look at which ones actually should get passed > through? > > Or am I just completely misunderstanding what you mean when you say > "filtering"?
Please refer to http://www.shorewall.net/NetfilterOverview.html. Packets enter the firewall from the network and pass through PREROUTING and ingress traffic shaping (traffic policing, actually). It is in PREROUTING where DNAT occurs, either from DNAT rules or because the packet is part of an established connection. From there, then go to the blue box where they are routed (there output interface and next hop gateway, if any, are determined. The 'Routing Decision' depends on whether the packet is to be processed by the Shorewall box itself (routing defined no output interface) or if it is to be forwarded to another host. From there, packets are sent to either INPUT or FORWARD. They go through the associated 'mangle' chain (where tc marks and such are handled), then on to the Filter table INPUT or FORWARD chain. The *first thing* that happens to them there is Accounting. *After* that, they may be DROPped or REJECTed but they have already been counted. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------------ BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA Learn about the latest advances in developing for the BlackBerry® mobile platform with sessions, labs & more. See new tools and technologies. Register for BlackBerry® DevCon today! http://p.sf.net/sfu/rim-devcon-copy1
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
