shorewall-users September 2011 archive
Main Archive Page > Month Archives  > shorewall-users archives
shorewall-users: Re: [Shorewall-users] Accounting on dropped/rej

Re: [Shorewall-users] Accounting on dropped/rejected packets

From: Tom Eastep <teastep_at_nospam>
Date: Wed Sep 14 2011 - 21:34:34 GMT
To: Shorewall Users <>

On Wed, 2011-09-14 at 13:14 -0800, Travis Veazey wrote:

> Sorry to keep beating a dead horse here, but I don't understand:
> unless a packet matches a DNAT rule, or is part of an already
> established connection, or else is being masqueraded and forwarded on,
> how would it enter eth1 and get routed out of eth0? Or is the default
> case that all packets arriving at the external (i.e. non-masqueraded)
> interface get routed to the internal one, get counted via accounting
> rules, and *then* we look at which ones actually should get passed
> through?
> Or am I just completely misunderstanding what you mean when you say "filtering"?

Please refer to

Packets enter the firewall from the network and pass through PREROUTING
and ingress traffic shaping (traffic policing, actually). It is in
PREROUTING where DNAT occurs, either from DNAT rules or because the
packet is part of an established connection. From there, then go to the
blue box where they are routed (there output interface and next hop
gateway, if any, are determined.

The 'Routing Decision' depends on whether the packet is to be processed
by the Shorewall box itself (routing defined no output interface) or if
it is to be forwarded to another host. From there, packets are sent to
either INPUT or FORWARD. They go through the associated 'mangle' chain
(where tc marks and such are handled), then on to the Filter table INPUT
or FORWARD chain. The *first thing* that happens to them there is
Accounting. *After* that, they may be DROPped or REJECTed but they have
already been counted.


-- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car \________________________________________________

BlackBerry&reg; DevCon Americas, Oct. 18-20, San Francisco, CA
Learn about the latest advances in developing for the
BlackBerry&reg; mobile platform with sessions, labs & more.
See new tools and technologies. Register for BlackBerry&reg; DevCon today!

Shorewall-users mailing list