Hey everyone, I'm currently learning about firewalls in school, and I came across some examples that have me a bit confused. One example shows a packet filtering table that includes a row for a TCP connection from a source IP (my local machine) to the destination IP (google.com) on port 80. The table lists the action as 'Allow' with the direction set to 'IN'.
My classmates and I thought that to start a communication with Google, the direction should actually be 'OUT' because that's how the local machine initiates the connection. Our teacher mentioned that because this is for stateful filtering, the direction doesn't matter. But I feel like the direction is important because it determines who can initiate the communication. If the direction is 'IN', doesn't that mean only incoming traffic is allowed and outbound traffic could be blocked? I'd love to hear your thoughts on this!
3 Answers
You're definitely correct that direction matters, especially for Layer 3 firewalls. If the packet log entry is seen from the firewall’s perspective, the direction could be IN, meaning the firewall allows packets coming from the outside to the local network. If it's from the host’s perspective, it’s outgoing (OUT). The rules are tailored per interface, which can often cause confusion about which packets are allowed.
It sounds like you're thinking about the firewall's perspective! When you're configuring rules for a firewall, especially for access control lists, the direction 'IN' often refers to traffic entering the firewall from a specific interface, even if you expect the connection to start from the inside (like your machine). So, in your case, ETH0 is trying to let traffic from 192.168.0.10 to reach Google, which is valid if you see it as incoming to the firewall's interface.
Exactly, the interface can change the way you interpret 'in' and 'out'. ETH0 is indeed facing your local network, which contextualizes the IN direction for this rule, indicating that the firewall is allowing that specific traffic to enter the local network from an external source.
That’s a good point! Firewalls generally aim to protect the network from unwanted traffic while allowing legitimate traffic out. The rule from your example does indeed permit outbound traffic because it's allowing your local machine to access Google on port 80, which means it has to be allowed to send packets out first. So, essentially, the inbound rule is a response to outbound requests that have already been made!
But if I understand correctly, if I’m looking at firewall rules, wouldn’t it also need to recognize which direction traffic is supposed to flow? How are we supposed to know what’s really allowed and what isn’t?
Wait, so does that imply that there are different perspectives based on who's viewing the logs? That seems really confusing if all firewalls do it differently!