On Fri, 2 Dec 2005 Frank.Mayer@xxxxxxxxxxxxxxxxx wrote: > I just realized that I now think I understand what you meant by "But why > do you specify the protocol?" > > I could have written the rule like > iptables -A -m state --state ESTABLISHED -j ACCEPT Yes, conntrack hold entries of connections you had explicitly let to open up. So (usually) there is no point to add other matches to the rule above. Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary
