Understanding Your Firewall Setting

If asked what firewalls do, most people would answer that they keep you safe. While this isn’t inaccurate, it’s a sweeping oversimplification of the grand concept of the firewall itself. What it does to keep you safe and how it works are much more important concepts when understanding this seemingly enigmatic piece of software. You might have noticed that the firewall you’re using has two sets of “rules”: inbound and outbound. What do these things mean? Do you really need both of them? We’ll discuss this and discover what you should know about these concepts in any operating system, whether you’re using Windows, Linux, or Mac OS.

These terms are used to describe what they govern.

Inbound rules govern what packets come into your computer from the internet. When a firewall is told to block inbound packets on a port or application, it will only block what comes into your computer through a specific port. If you have an inbound rule blocking an application, the firewall will first determine what port the application has open for packet transmission and block all incoming transmissions on that particular port.

Outbound rules govern what exits your computer. When you apply an outbound rule, the same thinking applies as it would in an inbound rule, the only difference being that an outbound block would simply tell the firewall to kill any packets exiting your computer through a particular port.

It’s only logical to have inbound protection, since you don’t want nasty packets coming into your computer. But do you need outbound protection?

outboundfw-firewall

Packets that come out of your computer can harm you. If an application, without your consent, sends out a packet containing credit card data or passwords, you’ve exposed yourself without even knowing it. Some viruses do this and can really do harm. However, there are legitimate arguments for why you wouldn’t need outbound protection.

When Windows Firewall prompts you by asking you whether you want to block an application or give it access to the internet, it makes an inbound rule based on your input.

outboundfw-block

The default firewall in most Linux distributions have to be manually configured and the effort can be painstaking for new users. For the sake of keeping this article simple, I will only use Windows firewalls as examples. MTE already has a wealth of information on iptables, the default Linux firewall for the majority of distributions.

So, Windows firewall blocks applications on an inbound basis. Why is this significant?

Perhaps because outbound blocking just becomes redundant in this case. Allow me to explain: If you are infected by a virus that sends out information, it rarely starts sending out that information without first establishing a connection with its “master,” which also requires inbound access (it needs to receive acknowledgement from the server that a connection is established). Yes, some viruses do send information to their respective servers through connection-less protocols like UDP. Others take advantages of common flaws in outbound firewall software to unbind themselves from the rules you configure. The most common way they work around firewall rules is by attaching themselves to other applications in your system and sending out information through something called a Winsock (a network socket found in Windows that allows them to connect to servers on the internet and interact with them).

If you’re so concerned about viruses, however, you should look into an antivirus. Firewalls really don’t do squat unless the virus’ writer was very dull and lazy. Also, most viruses don’t need a proper internet connection to wreak havoc on your system. Only some viruses exclusively operate on the internet (such as Trojan horses).

Aside from that, if you really just want to put some extra iron in your security, you don’t really need a third-party firewall to do this. Windows Firewall does outbound rules just fine.

Outbound firewalls have their uses, despite what I may say. For example, they prevent applications from calling home. Some more technically-experienced readers of MTE can relate to the fact that outbound rules are monumental in many cases in which we must prevent applications (not malware) from accessing the internet. However, regular home users need not concern themselves with the mechanics of outbound firewalls. An inbound rule is sufficient, coupled with a hardy antivirus utility.

If you want some questions answered, kindly leave a comment below and someone will be there.