# How can you block outgoing internet while allowing incoming?



## watcher (Sep 4, 2006)

Short and to the point: How can you block outgoing internet while allowing incoming or is it even possible?


----------



## mnn2501 (Apr 2, 2008)

No
You have to send requests out to pull up internet sites.


----------



## wberry85 (Feb 28, 2013)

Sure its possible. How about you tell us for what purpose you want to do this and I can tell you if it is reasonable.


----------



## TMTex (Apr 5, 2013)

mnn2501 said:


> No
> You have to send requests out to pull up internet sites.


If you're talking about surfing the web and choosing which sites you view, this is correct.

If not, this is the wrong forum to be asking about that.


----------



## MoonRiver (Sep 2, 2007)

At a high level, or low level depending how you look at it, TCP is a connection oriented protocol. So in that sense, you have to have 2 way communications.

If you just want to prevent uploading files to the Internet, that can be done.


----------



## watcher (Sep 4, 2006)

wberry85 said:


> Sure its possible. How about you tell us for what purpose you want to do this and I can tell you if it is reasonable.


Mainly because I'm a little paranoid. Normally I get online do what I need to do then disconnect my internet. I've done this from the time I switch from using BBS to the internet. But since I don't have a great internet connection when I have to download a big file or update I have to leave it connected for a long time and usually w/o me at the machine. I have a firewall, anti-virus, anti-spyware and such but all of that only works AFTER the programers find a threat.

I was thinking if there was some way to shut down the outgoing internet connection during the times when I had to be connected to get updates and such, a hacker's program would only have a very short time each day (while I'm actually online) to do anything. Therefore if I were infected there shouldn't be much, if any, damage done before the good guys found a way to stop the newest hack.


----------



## farmerj (Aug 20, 2011)

Stop being paranoid. It will only give you ulcers. Even the best antivirus and anti-whatever will not get all the crud on the net. It will never be pro-aftive and always reactive.

The best way to protect yourself is use due diligence on the our surfing and learn where attackers like to hide things. And watch your email. That's the biggy right there.


----------



## arabian knight (Dec 19, 2005)

Since you say it has to be connected to 'stay on' then you have to have it doing all the things it must, as the connection must see that you are connected to stay connected. It has to feel you are connected to stay connected and it has to do this by keeping the Two-Way communications Open in both directions.
As long as you have a good virus protection, keep updates on whatever OS you are using and have the firewall on, you really don't have much to worry about at all.
And the way it sounds you are on Dial Up? and hackers just are not going to loo at you they want Fast Fast connections so they can do their worse in the fastest amount of time. Don't Worry~!


----------



## MikeC (Mar 29, 2012)

If you practice good policies such as not going to questionable sites, never open attachments from people you don't know, Don't go to spam sites, etc, then you are in all likelyhood just fine. Especially considering all the anti-whatever software you are running. As someone else mentioned these are entirely reactive and it's entirely up to you to be proactive.

That being said I run a network of computers at home, with seven of them being online and running 24/7. We also have ipads, phones, and just about every imaginable device running. I'm never disconnected from the internet. My household has no issues with any sort of virus. I scan regularly, keep AVG running on my PC's, my server runs a very heavy handed spam protection software and we stay away from online porn (the biggest culprit) and anything that just seems questionable.

We ignore all emails from any institution no matter how legitimate they look (Insurance, credit cards, prince from Nigeria) and if we have a valid concern I call the phone # from my bill or back of my CC card.

A good firewall will let you block all outgoing ports and force you to specify both for applications and/or specific ports to allow communications. There are entire volumes of books written on this subject. There are both software and hardware firewalls. For the truly paranoid you dedicate a server to the job of providing a firewall for your network. You can build one for a few hundred bucks. This is what I have. Note, I'm an old hand at computer security and have built more networks than most people will ever be on.

If you are still extremely paranoid after all that then search up and learn how to use a "packet sniffer". Which lets you look into each tcp packet and examine the contents.


----------



## simi-steading (Sep 27, 2012)

The simplest solution... see that little button that has an I over an O on your computer? Push it and hold it for 10 seconds... Once that's done, you'll never have to worry about another hack ever...


----------



## watcher (Sep 4, 2006)

Maybe I'm just strange but even though statistically I "don't have much to worry about" I wear a helmet when I ride a motorcycle, seat belt when I drive a car, I use the ROPS and seat belt on my tractor, I have smoke detectors and fire extinguishers in my house and I wear a belt AND suspenders. IOW, I like to make sure I'm covered in case something happens. 

I was just trying to see if there was something I could use as another layer of protection here. It was implied that it was possible but I was asked why I wanted it. I have to infer from the answers my reason doesn't come up the the necessary standard to get the info so I could make the decision myself if I 'needed' to do it.

Thanks anyway.


----------



## WildernesFamily (Mar 11, 2006)

I don't have an answer for you, but are you using something other than Windows firewall? If not, you may want to try one like ZoneAlarm or Comodo that gives you a bit more control. ZA has a two way firewall, so you can control inbound and outbound traffic.

The Best Free Firewalls: http://www.pcmag.com/article2/0,2817,2422144,00.asp


----------



## simi-steading (Sep 27, 2012)

The real answer is yes, it can be done with a whole lot of firewall work, or you could do some interesting things with your host file... but then you really wouldn't be able to surf the net. Every time you click a button on your browser, if you don't let anything other than the data you see on the page through, you won't see anything, because there's a lot of other data that has to flow both ways with it on all different numbered ports. If you don't have the full data flow in both directions, nothing, or very little if anything is gonna happen... 

Even staying connected to your provider could become a problem if you start closing down ports and you don't pass data in both directions.

As long as you have a firewall and anti-virus you're protected well enough..


----------



## Nevada (Sep 9, 2004)

simi-steading said:


> The real answer is yes, it can be done with a whole lot of firewall work, or you could do some interesting things with your host file... but then you really wouldn't be able to surf the net. Every time you click a button on your browser, if you don't let anything other than the data you see on the page through, you won't see anything, because there's a lot of other data that has to flow both ways with it on all different numbered ports. If you don't have the full data flow in both directions, nothing, or very little if anything is gonna happen...
> 
> Even staying connected to your provider could become a problem if you start closing down ports and you don't pass data in both directions.
> 
> As long as you have a firewall and anti-virus you're protected well enough..


Actually, it can be done pretty easily with Linux. Install the APF firewall (it's free). It allows you to specify ingress and egress port lists for both TCP and UDP. To block outgoing traffic for a specific port, just include it in the ingress list but not in the egress list.


----------

