On Wed, Sep 14, 2011 at 1:34 PM, Tom Eastep <[email protected]> wrote: > > Please refer to http://www.shorewall.net/NetfilterOverview.html. > > Packets enter the firewall from the network and pass through PREROUTING > and ingress traffic shaping (traffic policing, actually). It is in > PREROUTING where DNAT occurs, either from DNAT rules or because the > packet is part of an established connection. From there, then go to the > blue box where they are routed (there output interface and next hop > gateway, if any, are determined. > > The 'Routing Decision' depends on whether the packet is to be processed > by the Shorewall box itself (routing defined no output interface) or if > it is to be forwarded to another host. From there, packets are sent to > either INPUT or FORWARD. They go through the associated 'mangle' chain > (where tc marks and such are handled), then on to the Filter table INPUT > or FORWARD chain. The *first thing* that happens to them there is > Accounting. *After* that, they may be DROPped or REJECTed but they have > already been counted. > > -Tom
Okay, I think I understand now. Thanks for putting up with my inane questioning, and thanks also for such an awesome program -- I don't know where I would be without Shorewall! ------------------------------------------------------------------------------ BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA Learn about the latest advances in developing for the BlackBerry® mobile platform with sessions, labs & more. See new tools and technologies. Register for BlackBerry® DevCon today! http://p.sf.net/sfu/rim-devcon-copy1 _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
