yes, outbound UDP through the NAT layer adds an entry to the tracking table which expires after some time. this sorta explains it... https://www.linuxtopia.org/Linux_Firewall_iptables/x1544.html On Tue, May 26, 2020 at 12:59 PM Kenneth Porter <shiva at sewingwitch.com> wrote: > I figure that TCP is easy: Add a rule to the forward chain to allow SYN > packets. There's already connection tracking to handle established > connections. Does connection tracking handle UDP? If I allow all UDP > from the LAN interface and one sends a DNS query from LAN to WAN, will > the reply get back? I don't want to blanket authorize all UDP. ICMPv6, > maybe, to allow traceroutes. Unless that's also handled by the tracking > system. > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos > -- -john r pierce recycling used bits in santa cruz