yes, outbound UDP through the NAT layer adds an entry to the tracking table which expires after some time.
this sorta explains it... https://www.linuxtopia.org/Linux_Firewall_iptables/x1544.html
On Tue, May 26, 2020 at 12:59 PM Kenneth Porter shiva@sewingwitch.com wrote:
I figure that TCP is easy: Add a rule to the forward chain to allow SYN packets. There's already connection tracking to handle established connections. Does connection tracking handle UDP? If I allow all UDP from the LAN interface and one sends a DNS query from LAN to WAN, will the reply get back? I don't want to blanket authorize all UDP. ICMPv6, maybe, to allow traceroutes. Unless that's also handled by the tracking system.
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos