On 4/8/24 16:11, George at Clug wrote:
I do like the idea of blocking all outbound connections, and only
opening ports that are required for whatever services I want to use.
For servers I often do, but for workstations, sadly I am often lazy and
default to allowing all outgoing traffic.
Lets look at the different cases.
*Source port blocking*
Here you block source ports on your machine from connecting to a remote
system say on a well known remote port.
This is a bad idea. Most applications on your system will select random
source addresses from your unprivileged range and use those.
Particularly web browsers but even system services. If you block them
you won't have internet access.
Then there services using a source port from the privileged range. It's
less common but does happen. Again, blocking privileged source ports is
a bad idea.
*Destination Port blocking*
These are service your client needs to connect to. Principally these
will be http and https and dns and ntp and dhcp etc. If you block these
destination ports you'll lose internet connectivity.
But there is more problems with destination port blocking. Some services
such as SIP Telephony will direct your client to connect to specific
ports on a remote system. If you have a blanket ban your phone service
won't work
*You have been compromised*
Here something nasty has got in your system. The majority of these
nasties won't connect to random remote ports, they will use well known
ports including SMTP, HTTP, HTTPS, DNS, NTP etc. These must be kept open
for usual use so that is why the baddies use them.
(There used to be the case that SMB ports were exploited. This is one
destination port it's good to explicitly ban)
*Summary*
- You can't block source ports
- Blocking unknown destination ports will cause you problems
- The destination ports you don't/can't block will be used in preference
by baddies.
- You may get some benefit by explicitly blocking some destination ports
on a case by case basis.
Your best defence is to install mandatory access controls on your system
to limit any exploit. Personally I use SELinix.
