Once upon a time, Kenneth Porter <shiva at sewingwitch.com> said: > I figure that TCP is easy: Add a rule to the forward chain to allow > SYN packets. There's already connection tracking to handle > established connections. Does connection tracking handle UDP? If I > allow all UDP from the LAN interface and one sends a DNS query from > LAN to WAN, will the reply get back? I don't want to blanket > authorize all UDP. ICMPv6, maybe, to allow traceroutes. Unless > that's also handled by the tracking system. Anything that's already working through IPv4 NAT should work just fine through IPv6 with connection tracking. IPv4 NAT is a stateful, connection tracking, packet mangling firewall. With IPv6, you can just do the same thing without the packet mangling misfeatures of NAT, with just connection tracking. But don't go blocking ICMP - doing that in IPv4 already can break things, and it can break even more things in IPv6. -- Chris Adams <linux at cmadams.net>