Understanding Your Firewall Setting


If asked what firewalls do, most people would answer that they keep you safe. While this isn’t inaccurate, it’s a sweeping oversimplification of the grand concept of the firewall itself. What it does to keep you safe and how it works are much more important concepts when understanding this seemingly enigmatic piece of software. You might have noticed that the firewall you’re using has two sets of “rules”: inbound and outbound. What do these things mean? Do you really need both of them? We’ll discuss this and discover what you should know about these concepts in any operating system, whether you’re using Windows, Linux, or Mac OS.

What Do The Terms Inbound and Outbound Mean?

These terms are used to describe what they govern.

Inbound rules govern what packets come into your computer from the internet. When a firewall is told to block inbound packets on a port or application, it will only block what comes into your computer through a specific port. If you have an inbound rule blocking an application, the firewall will first determine what port the application has open for packet transmission and block all incoming transmissions on that particular port.

Outbound rules govern what exits your computer. When you apply an outbound rule, the same thinking applies as it would in an inbound rule, the only difference being that an outbound block would simply tell the firewall to kill any packets exiting your computer through a particular port.

It’s only logical to have inbound protection, since you don’t want nasty packets coming into your computer. But do you need outbound protection?


Why Outbound Protection Exists

Packets that come out of your computer can harm you. If an application, without your consent, sends out a packet containing credit card data or passwords, you’ve exposed yourself without even knowing it. Some viruses do this and can really do harm. However, there are legitimate arguments for why you wouldn’t need outbound protection.

Why Outbound Protection May Not Be Necessary

When Windows Firewall prompts you by asking you whether you want to block an application or give it access to the internet, it makes an inbound rule based on your input.


The default firewall in most Linux distributions have to be manually configured and the effort can be painstaking for new users. For the sake of keeping this article simple, I will only use Windows firewalls as examples. MTE already has a wealth of information on iptables, the default Linux firewall for the majority of distributions.

So, Windows firewall blocks applications on an inbound basis. Why is this significant?

Perhaps because outbound blocking just becomes redundant in this case. Allow me to explain: If you are infected by a virus that sends out information, it rarely starts sending out that information without first establishing a connection with its “master,” which also requires inbound access (it needs to receive acknowledgement from the server that a connection is established). Yes, some viruses do send information to their respective servers through connection-less protocols like UDP. Others take advantages of common flaws in outbound firewall software to unbind themselves from the rules you configure. The most common way they work around firewall rules is by attaching themselves to other applications in your system and sending out information through something called a Winsock (a network socket found in Windows that allows them to connect to servers on the internet and interact with them).

If you’re so concerned about viruses, however, you should look into an antivirus. Firewalls really don’t do squat unless the virus’ writer was very dull and lazy. Also, most viruses don’t need a proper internet connection to wreak havoc on your system. Only some viruses exclusively operate on the internet (such as Trojan horses).

Aside from that, if you really just want to put some extra iron in your security, you don’t really need a third-party firewall to do this. Windows Firewall does outbound rules just fine.

The Conclusion?

Outbound firewalls have their uses, despite what I may say. For example, they prevent applications from calling home. Some more technically-experienced readers of MTE can relate to the fact that outbound rules are monumental in many cases in which we must prevent applications (not malware) from accessing the internet. However, regular home users need not concern themselves with the mechanics of outbound firewalls. An inbound rule is sufficient, coupled with a hardy antivirus utility.

If you want some questions answered, kindly leave a comment below and someone will be there.

Miguel Leiva-Gomez Miguel Leiva-Gomez

Miguel has been a business growth and technology expert for more than a decade and has written software for even longer. From his little castle in Romania, he presents cold and analytical perspectives to things that affect the tech world.


  1. I like the fact that when I go to Gibson Research Center and have them test my ports, that my computer doesnt answer the requests. Thats outbound protection. And that helps to stay somewhat invisable

  2. Hi shivabeach (cool name)
    During the test, GRC sends requests to your PC/Mac. These requests are inbound from your perspective. Your router and/or PC deny the requests.
    Also, this is separate from ‘stealth ports’, which can help make you invisible to inbound requests.

  3. Stealth means the port being pinged by an inbound request does not respond at all. ‘Closed’ means the port being pinged by an inbound request sends back a “Port Closed” response to the remote computer which sent the inbound request on that port. Some argue that ‘closed’ is better than ‘stealth’ because: (i) in both cases the port is inaccessible since ‘stealth’ implies ‘closed’, it just does not tell the remote computer the port is closed; (ii) ‘stealth’ induces more traffic on the internet because a remote Server may keep pinging the port if it receives no response. Also some older computer protocols require a response, even a closed response, on some ports – the IDENT port 113 is an example of this.

    1. As you say “Stealth means the port …… does not respond at all” leaving the ping-er to wonder if there is a PC on the other end. A”Closed” port, on the other hand, answers back saying “Ha, ha, ha. I’m here but I am not going to talk to you!” confirming the existence of the PC which is an invitation to further hacking attempts.

Comments are closed.