I can exactly see what is coming out of the box by having two ssh connections to it and running “tcpdump -i ETH01” in one and “tcpdump -i ETH02” in the other. Also, I don’t care about which way lightweight connections like DNS go out. What I care about are major traffic flows like people watching youtube and how they’re load balanced.
As far as Linux outbound load balancing is concerned the answer is not as straightforward as you suggest. As far as I understand there are at least two ways of doing it, one using advanced routing and multipath default routes (http://lartc.org/howto/lartc.rpdb.multiple-links.html) and the other one using netfilter/iptables and n-th/random patches or statistics module (http://www.sysresccd.org/Sysresccd-networking_en_Iptables-and-netfilter-load-balancing-using-connmark#The_statistic_match) and I am not clear how it is done in Zeroshell and don’t have the time to review the code to work it out.