LinuxQuestions.org - Egress filtering

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - Egress filtering (https://www.linuxquestions.org/questions/linux-security-4/egress-filtering-250025/)

Egress filtering

I do egress filtering on my server to minimize the damage that could occur if somebody somehow manages to root the box. I guess my thinking is like this: say somebody gets in with user-level access... with egress filtering in place, they wouldn't be able to use my box to dos any other box. The only allowed outbound port is smtp.

Every now and then I see a bunch of log messages relating to some traffic that got blocked trying to go out a high numbered port. Something like this:

Quote:

From (my server's IP) - 21 packets
To xxx.xxx.xxx.xxx - 9 packets
Service: 17101 (tcp/17101) (IPT OUT_FIREWALL:,none,eth0) - 9 packets
To xxx.xxx.xxx.xxx - 1 packet
Service: 1710 (tcp/1710) (IPT OUT_FIREWALL:,none,eth0) - 1 packet
To xxx.xxx.xxx.xxx - 10 packets
Service: 33404 (tcp/33404) (IPT OUT_FIREWALL:,none,eth0) - 5 packets
Service: 33406 (tcp/33406) (IPT OUT_FIREWALL:,none,eth0) - 5 packets
To xxx.xxx.xxx.xxx - 1 packet
Service: 18851 (tcp/18851) (IPT OUT_FIREWALL:,none,eth0) - 1 packet

This makes me nervous! Why is my server trying to send outbound packets on these high-numbered ports? The only server software I'm running is Postfix for mail and Apache for http traffic. IPTables is good enough to tell me that the outgoing traffic was blocked, but doesn't tell me what piece of software was trying to send the data. Some days it doesn't happen at all, other days hundreds of packets will be blocked. Should I be worried? What could be causing this?

My other question is more general... is egress filtering worth the effort? Does anybody else out there do it? Does it increase my security tangibly? I mean, if somebody roots the box, the first thing they'd do is disable iptables so is my egress filtering scheme really doing any good?

Once you box is infected with a rootkit it is owned by the devil. What if the trojaned iptables/netfilter software logs in messages about traffic being blocked but still passes the traffic along. The hacker becomes the master of your box after installing the rootkit. He does not become god though; you still own the power switch :D. Try to look at intrusion detection systems if you really want to be sure.

Well, it's sort of difficult to tell without having both the source and destination port. I do use egress filtering myself, just in case one of my boxen ever gets compromised it won't be able to send spoofed packets for a DDoS, to conceal scanning, etc. Also, in the unlikely case where someone did manage to associate with my W/LAN, they wouldn't be able to send out spoofed traffic either.

Oh, I suppose I could point out that you could have even more strict egress filtering, such as restricting outbound connections to only use the ports and destination addresses that are valid for your usage. You could restrict outbound SMTP connections to only go to your ISP's SMTP sever, for instance. That would almost completely prevent a spambot from ever being able to use your box if it compromised any account other than root. I'm sure you could think of other interesting scenarios.