Skip to main content

Egress filtering

This is from a really old internal doc I kept at one of my past jobs, but it gave our customers some ideas for traffic they might want to filter on their egress Internet connection to keep potentially bad stuff away:

Traffic you probably want to completely block headed outbound

  • MS RPC – TCP & UDP port 135
  • NetBIOS/IP – TCP & UDP ports 137-139
  • SMB/IP – TCP port 445
  • Trivial File Transfer Protocol (TFTP) – UDP port 69
  • Syslog – UDP port 514
  • Simple Network Management Protocol (SNMP) – UDP ports 161-162
  • Internet Relay Chat (IRC) – TCP ports 6660-6669

Traffic you probably want to allow to/from only specific hosts

  • SMTP – allowed outbound from only the mail server/smarthost
  • DNS – allowed outbound only from specific hosts to specific upstream providers
  • NTP – allow internal hosts sync with domain controllers, and then allow only the domain controllers to sync to specific upstream hosts

References: https://www.sans.org/reading-room/whitepapers/firewalls/egress-filtering-faq-1059.

Tools for checking egress filtering

Check out go-out.