Firewall inbound vs outbound filtering

I believe that outbound filtering is more critical than inbound filtering. Data exfiltration / theft, telemetry, spyware and malware connecting to command and control servers is the more likely attack vector. The mobile app industry has normalized very unsavoury practices and business models and unfortunately this has started to also become the norm in desktop/server OSes and software.

Even tools like the Hashicorp suite have telemetry enabled by default. I'm sure it's benign but I feel it erodes trust to feel entitled to help yourself to somebody else's data.

I have process-level default deny outbound filtering on my Windows workstations and mobile devices. I also make use of DNS filtering on my network and homelab. Unfortunately DNS filtering is compromised now that software can trivially bypass the system resolver and use DNS-over-HTTPS to disguise DNS lookups and prevent inspection.

@termv I totally agree with you. I have seen environments where there is no outbound filtering and I think you are asking for trouble with that. Many focus on inbound filtering as this is the traditional perspective. However, outbound can shed light on many types of unwanted or even malicious traffic as you mention.

I am currently using a Palo Alto in the home lab. One of the things that Palo's are known for is app filtering. With this, you can effectively block app signatures like DNS-over-HTTPS. They are expensive, but I think they are the best out there for overall security:

i'm not doing any outbound filtering, however i am using Security Onion to monitor all outbound traffic. it generates reports and alerts on suspicious traffic. i haven't tuned it much (there's a lot of noise i need to filter out), and i also need to set up actual email/push alerts. it's been an interesting tool to check out.