BIND allow-transfers and firewall

If I set allow-transfers in BIND to a given set of ips then must I also open those addresses in iptables?

I use a secondary DNS server in which I need to allow transfers but I am getting tons of FORMERR errors in my logs and wondering if it is due to the firewall.

Well, you do need to make sure the firewall is open, sure.

Where are you seeing the errors though, on primary DNS server, or the secondary?

I tried to setup allow-transfers globally but it seems that one can only do forwarding from this option. I had to go to zone defaults for each zone to setup transfers only. Unless I missed a "Global" way to do it.