Yeah, I may be making a slight 'thinking error' there, because, at first sight, outgoing TCP acks are only caused by incoming TCP packets, so it would only be necessary to associate the TCP ack queue with incoming tcp connection rules.
But, of course, when making an outbound tcp connection (like an interactive ssh session), you will have to reply to return traffic with acks as well, and those are also outbound TCP acks.
So yes, put those double queues on the inbound and outbound tcp rules.
|