Well, you are right, but this is not about statefull inspection but the way the rules were originally implemented. IN means incoming packets, OUT means outgoing packets (in current implementation specifying only IN or only OUT for TCP protocol is senseless) and it is not exactly the same as IPFW rules where IN means incoming connection, OUT means outgoing connection for TCP. I agree that this may confuse a bit and probably it makes sense to change this behavoiur in order to avoid missunderstandings. Thanks for pointing this.
The rule you have created allows any system connect your port (from any port) 80 and connecting any your local port from port 80 what really breaks any security. Basically if you want to allow any kind of outgoing connections you are supposed to use on the the Stealth Security levels and create rules to drop undesired outgoing connections and may be some rules to open local ports if you also work as server. High Securty level was designed for servers which are supposed not to go outside world but just open some local ports to provide services for their users.
Dear SerpentFly, first of all thanks for your answer 🙂
Actually I think we just had a misunderstanding.
Our goal is to let only everything I want go out (e.g. HTTP and DNS just to browse over the Internet) and let go in only the answers from the servers I opened a connection to, just as statefull firewalling has to work. I know that DNS works on UDP and actually UDP doesn’t provide any type of connection (so talking about the state of connection on a udp comunication is not properly correct) but other statefull firewalls I have tried provide some kind of support for udp sessions (e.g. the connection tracking module of Netfilter/Iptables).
After reading your answer we did as you suggested: we put the FW on 3rd level security and just added the rules for HTTP and DNS, as in the images below.
HTTP works as expected, but DNS doesn’t, and in the log it’s reported the outgoing packets are processed by our own rules, but the answers by the “general security”: ingoing http is allowed as expected, but dns (we need to browse) is blocked by general security.
Do you have any ideas about it? Maybe it’s because NetFirewall doesn’t provide any support for connection tracking on udp communications?
Obviously we cannot add a rule allowing every ip address to contact me on my 53 udp port, even thougth in this way I can browse: that would be a huge hole in my security walls! A scan using nmap with 53 udp port as the source port would be allowed 😯
(if I permit 21/TCP out and I block all the other outgoing traffic passive ftp doesn’t works)
Have you any ideas about it?
Thanks a lot for your attenction