The Direction rule element matches the direction a packet is travelling as it traverses the interface. There are three traffic direction settings for policy rules:
A direction of Inbound matches traffic that is ingressing through a firewall interface.
A direction of Outbound matches traffic that is egressing through a firewall interface.
A direction of Both matches traffic either ingressing or egressing from the firewall. When you use the Both direction in a rule and compile the rule, Firewall Builder converts the rule into to two rules: one for direction Inbound and one for direction Outbound. Firewall Builder then validates each rule to make sure they both make sense by looking at the defined source and destination addresses, dropping one of the rules if necessary.
If you build a rule with a firewall object in the Destination field and with direction of Both, the result for PF platforms should be a rule with pass in, which is equivalent to a direction of Outbound in the original Firewall Builder rule. For iptables platforms, the rule is placed in the INPUT chain. If the firewall object is defined in the Source field of the rule, then Firewall Builder automatically changes the direction Both to Outbound and processes the rule accordingly.
This automatic change of the direction is only performed when the direction is Both. If the direction is Inbound or Outbound, Firewall Builder complies with the setting without changing the rule. (This is how anti-spoofing rules are constructed, for example, because in rules of that kind, the firewall object and the objects representing addresses and networks behind it are in the Source field, yet the direction must be set to Inbound.)
Note that traffic direction is defined with respect to the firewall device, not with respect to the network behind it. For example, packets that leave the internal network through the firewall are considered "inbound" on firewall's internal interface and "outbound" on its external interface. Likewise, packets that come from the Internet are "inbound" on the firewall's external interface and "outbound" on its internal interface. Figure 7.3 illustrates directions for packets entering or exiting the firewall interface.
Many supported firewall platforms allow for rules to be written without explicitly specifying a direction of "in" or "out"; for example, pass quick proto tcp .. .. in PF configuration or iptables rules in the FORWARD chain without the -i interface or -o interface clauses. Firewall Builder always tries to use this construct for rules with direction Both, unless addresses in the source and destination indicate that the rule can be made more specific.
Copyright © 2000-2012 NetCitadel, Inc. All rights reserved.
Using free CSS Templates.