What is the point of Inbound and Outbound Connections? Isn't In+Out enough?

[Exaco]

Hi there, I am curious why there's an option to choose between In and Out if they both do the exact same thing in the end?

If hacker has access to my server and I block his IP as Outbound = he sees me offline = connection lost.
If hacker has access to my server and I block his IP as Inbound = he sees me offline = connection lost.

Both options give exact same result, so why do we have an option to choose between the two, is there any practical real world use for it?

[szalikdev]

Inbound is incoming traffic, meaning someone tries to access your server.

 

Outbound is traffic that goes from your server to someone.

 

If you block incoming ip 7.7.7.7 for example, user with that ip won’t be able to access your server but if you block outbound for that ip, your server won’t be able to reach that ip therefore it cannot access it.

[tikker]

You highlight damage control aspects. There can be other network-management reasons why you may want to block or control inbound or outbound traffic in certain ways, so it is useful to be able to set them up separately.

[manikyath]

if you only block inbound communication, your device can still send information to the blocked address, just not receive a reply.

if you only block outbout communication, your device can still receive information from a blocked address, just not send a reply.

 

in the first case, a compromised system can still leak data.

in the second case, a compromised system can still receive commands.

 

it's not because your example application can no longer work, that a specificly crafted application cannot.

[Alex Atkin UK]

57 minutes ago, Exaco said:

Hi there, I am curious why there's an option to choose between In and Out if they both do the exact same thing in the end?

If hacker has access to my server and I block his IP as Outbound = he sees me offline = connection lost.
If hacker has access to my server and I block his IP as Inbound = he sees me offline = connection lost.

Both options give exact same result, so why do we have an option to choose between the two, is there any practical real world use for it?

 

Its more complicated than that, as it depends WHERE you are blocking it.

 

For example if you block outbound connections to an IP address on the WAN side, you wont be able to access that IP at all.  However that would not stop that IP address from sending traffic to you, they would just not get a response.  They could still flood you with traffic, so you'd want to block inbound too.

 

There may be cases where you want to block traffic only to/from specific clients on the LAN side, but allow it in general.  You might want to block certain IP address going to a server, but not block the LAN from accessing it. (eg geoblocking on a port forward to your server)

 

 

[Exaco]

49 minutes ago, manikyath said:

if you only block inbound communication, your device can still send information to the blocked address, just not receive a reply.

if you only block outbout communication, your device can still receive information from a blocked address, just not send a reply.

 

in the first case, a compromised system can still leak data.

in the second case, a compromised system can still receive commands.

 

it's not because your example application can no longer work, that a specificly crafted application cannot.

Makes perfect sense now, thanks.

[Allan B]

You also want to consider statefull vs stateless firewalls.   If you look that up, outbound traffic allows inbound traffic that is part of the same connection.   

[jimm_eh]

Isn't there a control for distinguishing between packets that are "new" vs. packets that are part of an already established connection/relationship?

e.g. if I block inbound packets from WAN to LAN, but one of my devices has sent outbound packets to a site initiating a connection, then responses from that external source are permitted?

I could have sworn I'd seen something about that in one of my older firewall rules (maybe the Edgerouter X), but my current Opnsense box does not seem to have anything like that.

I'm curious because at one point I was trying to block a range of IP addresses on my LAN from accessing anything on the WAN port, and yet pings were going through anyway. (I eventually just went to a "default block all" setup and then allowed the internet-permitted IP range of local machines full access, which worked.)