What should a firewall permit regarding inbound connections into the internal network?

• A. The firewall should allow all inbound connections.
• B. The firewall should permit only established connections into the internal network and deny any inbound connections not associated with a previously established session.
• C. All inbound connections should be allowed if they originate from trusted IPs only.
• D. Inbound connections should be allowed if they originate from a VPN.

Answer: (B)

The main idea is that inbound traffic into the internal network should be controlled with stateful inspection, allowing only traffic that is part of an already established or related session. A firewall keeps track of connection states, so return traffic for connections initiated from inside is permitted, while unsolicited attempts from the outside are blocked. This approach minimizes the attack surface by denying new inbound connections unless there is a legitimate, established session or a specifically defined exception (such as a VPN-tunneled path or a port-forwarding rule).

That’s why permitting only established connections into the internal network is the best practice: it ensures that inbound traffic is always tied to an existing, allowed context, reducing the risk of unsolicited access and common attack methods. Opening all inbound connections would expose services to the external network; basing inbound access solely on trusted IPs or on VPN origin ignores the need for session-context and can be bypassed or abused; and while VPNs can be part of the trusted path, they still rely on proper session and rule enforcement rather than blanket access.