Hi security folks ;) I hope i dont reinvent the wheel with this or that it is a faq: The company I work for will connect some servers via a S-DSL line. We have 16 IP adresses and the setup is like that -sdsl-line->(ext:SDSLRouter:int)<->(eth0:LinuxFW:eth1-4)<->DMZ1-4 Since i can't not (well i could via the unpassworded serial port ;) ) configure/monitor the router, i want to setup traffic accounting on my linux firewall. For now this should only allow me to monitor if the monthly traffic limit is reached, so it will suffice to count all bytes that enter/leave through the external interface of the firewall (missing traffic that is directed directly to the router and adding traffic that is only between the firewall and the router, but thats ok). I did the following (eth0 is the ext interface of the fw): iptables -t mangle -N acc_traffic iptables -t mangle -I acc_traffic -j RETURN iptables -t mangle -I PREROUTING -i eth0 -j acc_traffic iptables -t mangle -A POSTROUTING -o eth0 -j acc_traffic now i can get the ip traffic byte summary that enters and leaves via eth0 to SDSL by calling iptables -t mangle -vx -L acc_traffic a script that is started when the firewall goes up / down and run by cron every hour can generate and save the used ip traffic. my short question is: will in effect the performance of the firewall in a bad way if all packets that enter / leave via eth0 have to pass through my accounting chain? is my solution totally dumb (i tried ipac-ng, but was not happy with its configuration, means i was to dumb to get it to work properly)? peace, Tom p.s.: sorry for my whacky english but it got 33 degree celsius in this room :p