On Thursday 11 of September 2008, Andrew Schulman wrote:
> > If so, do I need any rules on the external interface other than the
> > rules to allow the outgoing query (tcp and udp) and an
> > "established,related" rule?
>
> Nope. "Established" covers direct replies to UDP packets (i.e. DNS
> requests) that you've already sent out, so that's probably all you need in
> this case. "Related" covers new connections related to the first one, such
> as FTP data connections triggered by FTP control traffic. I don't think
> there are any "related" criteria that apply to DNS.
What about some ICMP (port|host) unreachable packet when you try to query a
broken DNS server? Isn't that a RELATED packet?
--
Regards
Vladislav Kurz
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
