View Full Version : Inbound vs. Eitherbound Inspection

Barry J. Stiefel
2005-08-13, 16:27
Inbound vs. Eitherbound Inspection

(This FAQ is relevant to FireWall-1 4.1 and earlier as NG uses Eitherbound inspection and cannot be changed.)

"Inbound" means the packets are scanned as the packets come into the firewall, before any routing takes place, etc. In most cases, this is usually sufficient. "Eitherbound" means scans scan the packet both as the packet enters the gateway (before it is routed) and as it's leaving the gateway (after it is routed, before NAT occurs). There are two times I know of you would want to perform Eitherbound inspection, though someone else may come up with some other reason.

On rules regarding the firewall. Specifically, those rules allowing the firewall to do certain things outbound. In these cases, change the "Install-on" field to "Src" and "Dst."
When you are using Dual Network Address Translation (translating both the source and destination of the packet) with the authentication servers. A customer ran across a rather interesting bug where if an authenticated session times out and you are using Dual NAT, the connection will not correctly close on both sides if the connection times out. The only way for this to work correctly is to use eitherbound inspection. Installing on a specific target does not seem to work reliability (go figure).

In FireWall-1 4.1, the default is Eitherbound.

-- PhoneBoy (http://www.phoneboy.com/bin/view.pl/Main/PhoneBoy) - 11 Jan 2004

FAQForm (http://www.phoneboy.com/bin/view.pl/FAQs/FAQForm) FAQs.Class: MiscellaneousFAQs (http://www.phoneboy.com/bin/view.pl/FAQs/MiscellaneousFAQs) FAQs.OS: FAQs.Version: 4.1