What does the "inspect" action do exactly?


#1

There are 4 possible firewall rule actions: drop, reject, accept and inspect. I can’t find anything that explains what that last one does. Can someone school me please?

tia

nr


#2

Hello NullRoute:

My best guess is that “inspect” is a legacy from the times Vyatta (The origin for the VyOS Fork, now a Brocade Product) had snort Intrusion Protection System (IPS) embedded in it. When you specified “inspect” on the Firewall Rule, it sent the data packages to snort for inspection. If my memory doesn’t fail me, snort was deprecated after version 6.3 of the original Vyatta, due to performance issues. It would be interesting if someone in the VyOS community knows what “inspect” is actually doing right now, as snort is not present, I guess that it just passes the data packets straight trough.