>>> You only need the tcp rule if you plan on serving up zone transfers, >>> not if plan on only requesting them. >>> >> Well, very rare but answers that are over 512 bytes will have >> to be sent >> over tcp since the rfc 1035 mandates maximum 512 bytes for the udp >> payload. So tcp is not just for zone transfers only. > > True, but the client will then be responsible for opening up the tcp > session and since it will be EST, there is no need to define incoming > SYN packets no? > Hmm...no idea if a stateful udp role involves tcp at all...this requires a netfilter dude to answer :-D