There are two general scenarios for using the firewall feature:

1. On a host operating as a gateway, routing traffic to other hosts on a network.

   In this case, the gateway host can act as a true firewall, filtering IP packets between 'secure' and 'non-secure' networks, and preventing undesirable traffic from passing between the two.

2. On a single workstation.

   IP filtering in this case would protect only the local system.

Network administrators may find the former scenario useful, if there is no need (or possibly no budget) for the more advanced protection features of a full-fledged firewall product such as IBM SecureWay Firewall. This scenario will be referred to as a gateway scenario.

Individual users, however, are more likely to find the firewall feature useful for protecting a single workstation. This scenario will be referred to as a workstation scenario.

In general, the mechanics of configuring filter rules are the same in either case (although the rules themselves would probably be different). There are three filter rule parameters, however, which require special consideration:

direction

When filtering traffic with an endpoint on the firewall itself, a rule will by definition apply only to one direction of traffic (either incoming or outgoing, depending on the source and destination parameters), even if this parameter is set to 'both'. This is because the source and destination parameters are always enforced, regardless of this parameter's value.

The direction parameter becomes significant, however, when routing traffic (such that the firewall is neither the source nor the destination). Since such traffic both enters and (subsequently) leaves the firewall, this parameter can be used to control when the rule is applied. A value of 'inbound' will apply the rule to IP packets as they enter the firewall; a value of 'outbound' will apply the rule to the IP packets as they leave the firewall.

A value of 'route' for this parameter only makes sense under a gateway scenario. A single workstation which is not routing traffic has no control over packets that match this criterion, and so any rule using it would be meaningless.

In a workstation scenario, this parameter should always be set to either 'both' or 'local' (which would in this case be functionally equivalent).

This parameter allows rules to be applied to 'secure' or 'non-secure' network interfaces. The distinction is only meaningful on a system with multiple network interfaces connected to two or more different networks.

See the next section for more details. Workstations with only one network interface should generally use the value 'both' for this parameter.