Source Address / Source Port vs Destination Address / Destination Port
OK, so let's dive into the details of IPv4. Each IP packet has a source IP address and port and a destination IP address and port. An IP address is for the whole computer, so the IP address is enough to bring a packet from computer A to computer B. If you have two services running on one computer like eMail and Webserver the IP packets need to reach the right service. The selection of the right service is done based on the ports.
If a client wants to connect to a server like a webserver or a mail server, then the client needs to know the IP address of the server. In a web browser you enter the DNS name or the IP address of the server. In a mail client it was also you that entered the name of the mail server. So when the client wants to connect to the server, the only thing missing is the port. To make that easy, there are standards that define which port is used/reserved for which service. For http for example port 80 is reserved. A webserver is only listening on port 80 but ignoring any other ports.
If you want to, you can configure a webserver to listen to any port you want, it could also for example be port 12345. But then clients would need to enter http://ip:12345/
so the web browser knows on which port to contact the webserver. Just giving http://ip/
would be a short cut for http://ip:80/
.
So as you have seen, the server is working on a well defined port, he is receiving packets sent to destination=server-ip:server-port and sending packets with source=server-ip:server-port. On the cient side the operating system is opening a new socket for each new connection and assigning a unique (not yet used) port to the socket. Which port is used is not relevant. The client is the one who is initiating a connection, he sends packets with source=client-ip:client-port to the server. The server can look at the packet's source and now knows who is connecting him and where he shall send back the answers.
Each quadruple server-ip:server-port:client-ip:client-port uniquely identifies a connection.
Clients view connections as outgoing, servers view them as incoming. Firewalls can have outbound rules (sending packets) and they can have inbound rules (receiving packets). If you want to block http connections from/to your computer, the only thing you know is the port that the server is using. So when you want to block web browsers on your computer, then you must define a deny outbound firewall rule for destination=port 80. If you want to block other computers so they can't connect a web server that you are running on your computer, then you must define a deny inbound firewall rule for destination=port 80.
Some more stuff you didn't ask for:
- Not every service has a designated/reserved IP port.
- There are also protocols for special service discovery procedures.
- The (16 bit) range of ports is divided into two parts. Port numbers 1-1024 are reserved for admin/system processes while higher port numbers can be used by anyone.
You're closing outbound connections TO port 80, you gotta remember that outbound connections are going to servers like Google, StackOverflow and other websites/whatever.
Your browser makes connections to the other servers on port 80 and by you blocking that you're stopping your browser making that connection.
Say someone connected to your IP via their browser, that would be classed as incoming traffic on port 80 (or 443 for https) TCP, if you block that port for incoming traffic, then they wont be able to connect to it.
Say you connected to an IP or DNS record via your browser, that would be classed as outgoing traffic on port 80/443 TCP, blocking that port on outgoing will result in no connection being made to that server.