A couple of my clients often get confused with which interface to use when creating a firewall rule. What's the easiest way to remember which is which?

Why is there a difference?

Sorry to disappoint you, but every interface can be in-interface and out-interface.

For example you have two ports "Local" - to clients and "Public" - to internet

In case of client's download in-interface will be Public, and out-interface will be Local.
In case of client's upload in-interface will be Local, and out-interface will be Public.

It depends on which packet the person wants to catch. Ask yourself - the packet I want - where will it come from, and where will it go?

www --> IN router OUT ---> client

client --> IN router OUT --> www

as Macgaiver said - make them think - where packet is going , where it goes in and where it goes out, that way you will be always clear what to set where. Same with download and upload - just think where traffic flow goes.

This is great!

Thanks guys I will pass this on immediately.