Potentially conflicting firewall direction instructions?

[shallpion]

Hi, thanks for reading my post :) I am using OPNsense 20.1.7-amd64 and I notice that in the Firewall->Rules->LAN (could be any interface), if I edit any rule and also click the small "i" icon next to "Direction" tab, an instructional message appears:

Direction of the traffic. The default policy is to filter inbound traffic, which sets the policy to the interface originally receiving the traffic.

However if I read the online manual https://docs.opnsense.org/manual/firewall.html, it says

our default is to filter on incoming direction. In which case you would set the policy on the interface where the traffic originates from.

I think if I understood it correctly, the one on the web interface sounds correct and the online manual perhaps is a little misleading. Should this be fixed? Thanks :)

[shallpion]

Ok so after reading the book "Building firewall with OpenBSD and pf" and did some experiment on my opnsense box, I think in some sense both quotes are correct. Here is a quote from the book regarding "direction"

8.1.3 Inbound or Outbound (in, out)?

The next required keyword that appears after either the block (followed by optional drop, return-icmp, return-icmp6, return-rst,or return keywords) or the pass keyword is the direction keyword.There are two direction keywords you can use: in or out. They are known to cause some confusion, especially when the firewall is equipped with more than one network interface, and when NAT rules are used along with filtering rules.The key to understanding when a packet matches either the in or the out rule is remembering that these directions are relative to the firewall itself. Ifa packet is sent from an external host to the firewall, it matches the in rule on the firewall external interface; when it is sent from the firewall itself, it matches the out on the external interface. Similarly, packets sent from internal hosts to the firewall and destined to external hosts will match in rules on the interface connecting your private network segment to the firewall and out rules on the firewall external interface.

I think my original confusion was that, exactly as the book says, "in" and "out" is relevant to the firewall as a system, not the interface the traffic is passing. So the online manual in this sense can certainly be interpreted as "the traffic originates from interface IF1 because that is where the traffic is received by the firewall box"