Digi Transport firewall

Kindly advise on the usage of, flag S!A and inspect state
they must be use together? I tried using them separately, what is the effect?
dscp 20 proto ftp
dscp 20 proto ftp flags S!A
dscp 20 proto ftp flags S!A inspect state

All works but don’t really understand the combination, will it have any effect if use on dscp fw rules?

  1. I saw statements use them, inspect state allow connect out on a DSt ip, and allow the destination IP to make a separate connection in also on different port?



the inspect-state command is used in the firewall to allow the return path rules to be created dynamical

on the basic firewall version you would have to have an inbound and outbound rule to allow communications

with the flags this is only going to start or be valid when it is the first packet in the process and this will build the return path
as the first packet would only have a syn flag
any other attempts would not satisie the rule so S!A is only going to allow the SYN packet of the communication and then the rest of the packets in the stream will be allowed as they are associated with the stream.

if the firewall recives a packet with SYN ACK and no releavent stream in it tables it will be dropped