Once upon a time, Kenneth Porter <shiva@xxxxxxxxxxxxxxx> said:
> I figure that TCP is easy: Add a rule to the forward chain to allow
> SYN packets. There's already connection tracking to handle
> established connections. Does connection tracking handle UDP? If I
> allow all UDP from the LAN interface and one sends a DNS query from
> LAN to WAN, will the reply get back? I don't want to blanket
> authorize all UDP. ICMPv6, maybe, to allow traceroutes. Unless
> that's also handled by the tracking system.
Anything that's already working through IPv4 NAT should work just fine
through IPv6 with connection tracking.
IPv4 NAT is a stateful, connection tracking, packet mangling firewall.
With IPv6, you can just do the same thing without the packet mangling
misfeatures of NAT, with just connection tracking.
But don't go blocking ICMP - doing that in IPv4 already can break
things, and it can break even more things in IPv6.
--
Chris Adams <linux@xxxxxxxxxxx>
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
