Firewall setup - Input and Output

Sorry for my english.

I am having some troubles understanding if I should open ports via input, output, or both.

For instance, let's take the basic HTTP port 80. To set up a standard client. If I want it to access the Internet, I think I should open port 80 in INPUT AND OUTPUT on the client. Is that right? This is why I think that:

  • Client will send a HTTP GET on port 80, so port 80 output must be open.
  • Server will respond and send the page on port 80, so client must have port 80 input open.

That same applies for the server, it will receive the request on port 80 and send the response on port 80, so HTTP server must have port 80 open on INPUT AND OUPUT.

Do I understand it well?


Solution 1:

Traffic typically does not return on the same port that it leaves on.

When a client generates a request, such as for a web page, the source port is randomly generated. Your outbound traffic might look like this Source:50000 Destination:80, while the return traffic will see the numbers flipped Source:80 Destination:50000. This is because the reserved ports are only for servers which are listening for service requests, meaning traffic destined for port 80 should be heading TO a web server, not FROM one.

Solution 2:

If your firewall is NOT a stateful one then yes, you're correct.

If your firewall is a stateful one then you usually don't have to configure the opposite rule. On some systems you do have to explicitly configure it.

For example on Linux, you can add:

iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

to allow any incoming connections that were initiated by the host.