Help me understand output in firewall

I understand input is for a device in the firewall zone to communicate with the router, and forward is for two interfaces in the same zone to communicate. But what's the deal with output?
If I reject it for any zone I lose Internet access and even DHCP, even though I have traffic rules to allow DHCP specifically. The only zone unaffected by output policy is a Wireguard VPN zone where everything is set to reject.
I didn't find clear examples of usage for output. Can you help me?


I read that already and still have troubles understanding. Could you ELI5 or something?

You should allow traffic from your router.
In short, set output to accept for all zones.

Yes, since everything seems to break if I reject it. But could you help me understand with an example? For instance, why can it be disabled for the VPN zone

If you block the output for a specific zone, then your router will not be able to establish client connections in that zone, unless you allow it with explicit firewall rules.
This applies to obtaining DHCP and DHCPv6 leases, resolving hostnames with DNS, synchronizing time with NTP, performing diagnostics with ICMP, downloading packages with HTTP and HTTPS, etc.
Each of the mentioned protocols would require creating permissive firewall rules to work properly.

1 Like

I still don't understand. Why reject output when you can simply reject input? It seems like a second dam on the same river. What's a use case when it's actually needed and can't be worked around with input?

  • Incoming connections to the router use INPUT.
  • Incoming traffic is considered as a potential threat to the router.
  • Incoming connections are filtered on the upstream zone.

  • Outgoing connections from the router use OUTPUT.
  • Outgoing traffic is not considered a threat to the router.
  • Outgoing connections are not filtered by default.
1 Like

In most cases we are talking about the first packet in a new connection. If you reject an incoming connection to say port 8080, doesn't mean that creating a new outgoing connection from port 8080 is implicitly rejected.

No because stateful firewalls override such simplistic approaches, by allowing related and established connections regardless of the input/output policies.

You may want to block the overall access of the device itself towards one zone, yet allow forwarding and maybe some exceptions.

1 Like

This Video helped me to understand the Firewall.