A feature which appears to be missing from BorderManager packet
filters, but which is present in most other packet filtering
systems, is a counter of how many times each rule has been

The overhead is low - one counter per rule in the rules data on
the server, plus one increment operation each time the rule is
invoked. The counters could be zeroed when filtering is loaded,
this is not intended to be a 'how often has this rule been used
since the beginning of time'.

The simplest place to get the information out would be to add
it to the text file generated by filtcfg. A note of when filtering
was loaded, as well as the current time, in this file would be
useful as well.

This feature is present in Linux IPtables, in Cisco IOS and Proteon
router packet filters off the top of my head. It is primarily useful
when you have a complex filter configuration which has evolved over
time and you suspect there are filters which are no longer required,
but can also be useful as a diagnostic - again particularly on a
busy system. If the hit counter for a rule you expect to permit
some service is sitting obstinately at zero while the service is
being tested and failing, this gives hints about where to look next.

John Lines <http://www.paladin.demon.co.uk/john.lines.html>