What is about Firewalls with Egress filtering?
Egress filtering is when we control the traffic leaving our network. Egress filtering limits our outbound traffic flow to a reduced subset by introducing Firewall rules.
Which tool we are going to use for implementing Egress Filtering?
We are going to use the ufw
tool which defaults in Ubuntu distros. You can also install ufw
for other Linux distros.
Lets go root first
sudo su
We are assuming here that we have a system with Ubuntu,
lets start by enabling ufw
ufw enable
Why is there a need for Egress Filtering?
Egress filtering restricts the information that you don't want to leak into internet. Whether an internal system is compromised and it shares information to some remote hosts that can we avoided, an information leak may happen due to misconfigurations or network mapping attempts and that can also we avoided.
Now we are going to block some TCP/UDP ports and IP from establishing outbound connections
Trivial File Transfer Protocol - TFTP - UDP - 69
TFTP helps to move files between remote hosts, thus it will be a doorway for the attacker to move their payloads to the compromised system, an unsual connection between your system and a remote host through tftp is an indication of a compromised system
You can find if any connection established through this port by using the following command
netstat -anu | grep ":69"
its better to block its port so that it wont do any outbound communications.
for that try the following command
ufw deny out 69/udp
Now your firewall is updated with blocking the TFTP on UDP at port 69
Syslog - UDP - 514
Syslog operating on UDP at port 514 helps to send logs to a server. Log files may contain sensitive or private information, anytime if you are not sure of any system, you can block syslog from making any oubound connection.
Try,
ufw deny out 514/udp
Simple Network Management Protocol – SNMP - UDP - 161-162
SNMP on UDP at port range 161 to 162 is capable of collecting,organizing informations, monitor the network, detect network faults, and sometimes even used to configure remote devices.
To block SNMP, Try
ufw deny out 161:162/udp
SMTP mail server TCP - 25
Many systems are compromised for to be used as SPAM relays for sending emails. To avoid this we can block all the IPs from accessing TCP port 25 execpt our mail server ip
ufw allow from <our-mail-server-ip> to any proto tcp port 25
ufw deny from any to any proto tcp port 25
Internet Relay Chat – IRC - TCP 6660-6669
IRC is a network for text-based messaging. An attacker can communicate with the compromised system throuh IRC, eventhough IRC can connect with any port, the most common port ranges are 6660 to 6669.
Try,
ufw deny out 6660:6669/tcp
The Internet Control Message Protocol - ICMP
ICMP is a network layer protocol used by network devices to diagnose network communication issues. ICMP is mainly used to determine whether or not data is reaching its intended destination in a timely manner.
Using ICMP can lead to three differnt scenarios of vulnerablity
Echo reply packets (type 0 code 0) are returned by a system in response to receiving Echo Request packets. This is when someone pings our system replies back. An attacker can use this for secret communication channel.
An attacker can ping a network with its connected hosts and look for host unreachable (type 3 code 1) reply from the network to identify which hosts are offline and which are online which in turn becomes a network mapping tool for the attacker.
Time Exceeded in Transit (type 11 code 0) Network mapping tools like traceroute, tracert, Firewalk and tcptraceroute map all of the routers between a source and a target host by creating modified packets with having abnormal low Time To Live (TTL). So the routing devices in its path return ICMP time exceeded.
As usual got root with,
sudo su
Lets take a back up of our firewall rules
cp /etc/ufw/before.rules /etc/ufw/before.rules_backup
vi /etc/ufw/before.rules
which will output as below
# ok icmp codes for INPUT
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
try changing like below
# ok icmp codes for INPUT
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j DROP
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j DROP
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j DROP
then reload the firewall
ufw reload
Hope you guys find usefull
Top comments (0)