There are two general scenarios for using the firewall feature:
In this case, the gateway host can act as a true firewall, filtering IP packets between 'secure' and 'non-secure' networks, and preventing undesirable traffic from passing between the two.
IP filtering in this case would protect only the local system.
Network administrators may find the former scenario useful, if there is no need (or possibly no budget) for the more advanced protection features of a full-fledged firewall product such as IBM SecureWay Firewall. This scenario will be referred to as a gateway scenario.
Individual users, however, are more likely to find the firewall feature useful for protecting a single workstation. This scenario will be referred to as a workstation scenario.
In general, the mechanics of configuring filter rules are the same in either case (although the rules themselves would probably be different). There are three filter rule parameters, however, which require special consideration:
The direction parameter becomes significant, however, when routing traffic (such that the firewall is neither the source nor the destination). Since such traffic both enters and (subsequently) leaves the firewall, this parameter can be used to control when the rule is applied. A value of 'inbound' will apply the rule to IP packets as they enter the firewall; a value of 'outbound' will apply the rule to the IP packets as they leave the firewall.
In a workstation scenario, this parameter should always be set to either 'both' or 'local' (which would in this case be functionally equivalent).
See the next section for more details. Workstations with only one network interface should generally use the value 'both' for this parameter.