I created an AWS EC2 instance. In the security group I have enabled inbound rule only for port 22. Outbound rule is open to 0.0.0.0/0.
My question is, when I do an apt-get install or even a wget or curl, how the data is able come back ? (I have opened only inbound for port 22 correct, how the data bits are coming back over port 88 or 443)?
Firewalls in general can be stateful or stateless.
Stateful firewalls keep track of connections. If you establish a connection from local port 12345 to remote port 80, your stateful firewall will allow return traffic through port 12345 for that connection.
Stateless firewalls treat each and every packet independently. That's why they're called stateless - they maintain no state. You'd have to specifically open port 12345 to inbound traffic for the above example to work. The challenge this introduces is that the ports your apps use for outbound connections are arbitrary (they're not known in advance).
Stateless firewalls are generally more efficient because they are very simple, don't have to maintain state, and only look at the packet header.
In the specific case of AWS, they offer both types of firewall:
From the official documentation:
Security groups are stateful — if you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound security group rules. Responses to allowed inbound traffic are allowed to flow out, regardless of outbound rules.
