Re: [edlug] loading kernel modules


On Wed, 2003-01-15 at 14:10, Tim Bradshaw wrote:

> Related to this (well, not really), if you are using DNS I think you
> need to set things up to allow DNS replies back in, which are UDP (can
> they be TCP?

They can, but use of tcp is rare (it's mainly used either for zone
transfers or for situations where there is too much data to fit into a
udp datagram.)

> above, I'm not sure that you can do the same trick with UDP that you
> can with TCP and only allow established connections, because there is
> no connection state...

The iptables code can track udp pseudo-connections, opening up a
firewall port when an outgoing packet is sent so that replies on the
same port from the same host will be accepted.  The "connection"
auto-timeouts after (iirc) 15 minutes of inactivity.


