DEV Community

Danyson
Danyson

Posted on

Firewall: Egress Filtering with ufw

What is about Firewalls with Egress filtering?

Egress filtering is when we control the traffic leaving our network. Egress filtering limits our outbound traffic flow to a reduced subset by introducing Firewall rules.

Which tool we are going to use for implementing Egress Filtering?

We are going to use the ufw tool which defaults in Ubuntu distros. You can also install ufw for other Linux distros.

Lets go root first

sudo su
Enter fullscreen mode Exit fullscreen mode

We are assuming here that we have a system with Ubuntu,
lets start by enabling ufw

ufw enable
Enter fullscreen mode Exit fullscreen mode

Why is there a need for Egress Filtering?

Egress filtering restricts the information that you don't want to leak into internet. Whether an internal system is compromised and it shares information to some remote hosts that can we avoided, an information leak may happen due to misconfigurations or network mapping attempts and that can also we avoided.

Now we are going to block some TCP/UDP ports and IP from establishing outbound connections

Trivial File Transfer Protocol - TFTP - UDP - 69

TFTP helps to move files between remote hosts, thus it will be a doorway for the attacker to move their payloads to the compromised system, an unsual connection between your system and a remote host through tftp is an indication of a compromised system

You can find if any connection established through this port by using the following command

netstat -anu | grep ":69" 
Enter fullscreen mode Exit fullscreen mode

its better to block its port so that it wont do any outbound communications.

for that try the following command

ufw deny out 69/udp
Enter fullscreen mode Exit fullscreen mode

Now your firewall is updated with blocking the TFTP on UDP at port 69

Syslog - UDP - 514

Syslog operating on UDP at port 514 helps to send logs to a server. Log files may contain sensitive or private information, anytime if you are not sure of any system, you can block syslog from making any oubound connection.

Try,

ufw deny out 514/udp
Enter fullscreen mode Exit fullscreen mode

Simple Network Management Protocol – SNMP - UDP - 161-162

SNMP on UDP at port range 161 to 162 is capable of collecting,organizing informations, monitor the network, detect network faults, and sometimes even used to configure remote devices.

To block SNMP, Try

ufw deny out 161:162/udp
Enter fullscreen mode Exit fullscreen mode

SMTP mail server TCP - 25

Many systems are compromised for to be used as SPAM relays for sending emails. To avoid this we can block all the IPs from accessing TCP port 25 execpt our mail server ip

ufw allow from <our-mail-server-ip> to any proto tcp port 25
Enter fullscreen mode Exit fullscreen mode
ufw deny from any to any proto tcp port 25
Enter fullscreen mode Exit fullscreen mode

Internet Relay Chat – IRC - TCP 6660-6669

IRC is a network for text-based messaging. An attacker can communicate with the compromised system throuh IRC, eventhough IRC can connect with any port, the most common port ranges are 6660 to 6669.

Try,

ufw deny out 6660:6669/tcp
Enter fullscreen mode Exit fullscreen mode

The Internet Control Message Protocol - ICMP

ICMP is a network layer protocol used by network devices to diagnose network communication issues. ICMP is mainly used to determine whether or not data is reaching its intended destination in a timely manner.

Using ICMP can lead to three differnt scenarios of vulnerablity

  1. Echo reply packets (type 0 code 0) are returned by a system in response to receiving Echo Request packets. This is when someone pings our system replies back. An attacker can use this for secret communication channel.

  2. An attacker can ping a network with its connected hosts and look for host unreachable (type 3 code 1) reply from the network to identify which hosts are offline and which are online which in turn becomes a network mapping tool for the attacker.

  3. Time Exceeded in Transit (type 11 code 0) Network mapping tools like traceroute, tracert, Firewalk and tcptraceroute map all of the routers between a source and a target host by creating modified packets with having abnormal low Time To Live (TTL). So the routing devices in its path return ICMP time exceeded.

As usual got root with,

sudo su
Enter fullscreen mode Exit fullscreen mode

Lets take a back up of our firewall rules

cp /etc/ufw/before.rules /etc/ufw/before.rules_backup
Enter fullscreen mode Exit fullscreen mode
vi /etc/ufw/before.rules
Enter fullscreen mode Exit fullscreen mode

which will output as below

# ok icmp codes for INPUT
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
Enter fullscreen mode Exit fullscreen mode

try changing like below

# ok icmp codes for INPUT
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j DROP
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j DROP
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j DROP
Enter fullscreen mode Exit fullscreen mode

then reload the firewall

ufw reload
Enter fullscreen mode Exit fullscreen mode

Hope you guys find usefull

Support us by Buying us some Cookies

Top comments (0)