Hello, Rob Sterenborg a écrit :
- Any reply packet in an established connection will be accepted using "--state RELATED,ESTABLISHED". Actually, you don't need RELATED here, but it doesn't hurt either and you do need it if you want to forward FTP and such protocols.
ICMP error messages (destination unreachable, TTL exceeded, fragmentation needed...) are in the RELATED state. So you need RELATED if you don't want to break ICMP error signalling and mechanisms which rely on it such as Path MTU Detection (PMTUD).
-- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
