Allow SSH connections while blocking all outbound traffic with Cloud Firewalls
I want to block all outgoing connections by default using Cloud Firewall but I would also like to connect via SSH. Would I need to specify exceptions to outgoing traffic?
I guess the short answer would be: no. Let me try to explain why.
When starting a connection, the client first chooses a random port, called ephemeral port, before reaching out to the server via the service port. Once the request reaches the server, it will communicate with the client using the ephemeral port. For example, if I'm trying to contact your server via SSH, my client may choose a port like 40000 before reaching out via port 22 (which is the default SSH port) to your server.
Now, how does Cloud Firewall allow a response from the Linode to my client on port 40000? That's because Cloud Firewall is what's called a "stateful firewall". That basically means that it keeps track of the context of each connection by looking a bit further into the network packets. Because of this, it knows that the initial connection from my client to your port 22 was allowed and thus will also allow your server's response to my client's port 40000.
The same goes for incoming firewall rules, by the way. Let's say you are only allowing incoming connections to port 80 but all outgoing connections are allowed. If your Linode reaches out to an external service and chooses 50000 as the ephemeral port, when the service replies back to your Linode using port 50000 the traffic will be allowed.
On the other hand, a "stateless firewall" basically looks at packets in isolation. Going back to my initial example, it wouldn't allow your SSH server's response to my client's port 40000 even if it already allowed my incoming connection because it doesn't know it did. For these type of firewalls you'd need to set outgoing connections rules, which may be a bit cumbersome given the random nature of client ephemeral ports. Here's what I think is a good explanation of stateless vs stateful firewalls: