What’s the point of firewalling outgoing connections

firewallftpport

I have a firewall (csf) that lets you to separately allow incoming and outgoing TCP ports. My question is, why would anyone want to have any outgoing ports closed?

I understand that by default you might want to have all ports closed for incoming connections. From there, if you are running an HTTP server you might want to open port 80. If you want to run an FTP server (in active mode) you might want to open port 21. But if it's set up for passive FTP mode, a bunch of ports will be necessary to receive data connections from FTP clients… and so on for additional services. But that's all. The rest of ports not concerned with a particular service that the server provides, and especially if you are mostly a client computer, must be closed.

But what about outgoing connections? Is there any security gain in having destination ports closed for outbound connections? I ask this because at first I thought that a very similar policy of closing all ports as for incoming connections could apply. But then I realised that when acting as a client in passive FTP mode, for instance, random high ports try to connect to the FTP server. Therefore by blocking these high ports in the client side you are effectively disabling passive FTP in that client, which is annoying. I'm tempted to just allow everything outgoing, but I'm concerned that this might be a security threat.

Is this the case? Is it a bad idea, or has it noticeable drawbacks just opening all (or many) ports only for outgoing connections to facilitate services such as passive FTP?

Best Answer

There can be many reasons why someone might want to have outgoing ports closed. Here are some that I have applied to various servers at various times

The machine is in a corporate environment where only outbound web traffic is permitted, and that via a proxy. All other ports are closed because they are not needed.
The machine is running a webserver with executable code (think PHP, Ruby, Python, Perl, etc.) As part of a mitigation against possible code flaws, only expected outbound services are allowed.
A service or application running on the machine attempts to connect to a remote resource but the server administrator does not want it to do so.
Good security practice: what is not explicitly permitted should be denied.

Related Solutions

Make Firewall rules for Passive FTP which uses dynamic port

I assume $hostIP in your rules means a host you wish to allow FTP access for, otherwise your existing rules won't make sense to me.

If you are using unencrypted FTP, you should replace your wide-open FTP data connection rules with connection tracking.

First, add a rule that attaches a FTP connection tracking helper to any incoming FTP command connections:

iptables -A PREROUTING -t raw -p tcp -s $hostIP --dport $ftpCMDport -d $ftpServerIP -j CT --helper ftp

Here, $ftpCMDport is the port in which your local FTP server accepts logins; usually it's port 21.

(Historical note: this used to happen automatically for TCP port 21, but it turned out the automatic assignment could be abused, so the automatic assignment of connection tracking helpers was made optional in Linux kernel 3.5, and later the automatic assignment feature was completely removed.)

Once the FTP command connections are being monitored by the CT helper, the firewall will "know" which ports should be allowed for legitimate FTP data connections. You'll need two more rules to actually use this information to allow incoming data connections:

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -m helper \
   --helper ftp -s $hostIP -d $ftpServerIP -p tcp -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -m helper \
   --helper ftp -s $ftpServerIP -d $hostIP -p tcp -j ACCEPT

Together, these three rules should entirely replace your existing two rules for FTP data connections. These should be good for both active and passive connections, should your FTP server allow both types. If you only want to accept passive FTP data connections, you might want to remove the RELATED in the OUTPUT rule.

This was based on: https://home.regit.org/netfilter-en/secure-use-of-helpers/

If you are using SSL/TLS encrypted FTP, then the connection tracking helper won't be able to make sense of the encrypted FTP command traffic, and so if the FTP server will accept data connections in any free port, you cannot effectively firewall traffic by TCP ports at all, since any TCP port could become a FTP data port for some connection. Your only possibility would then be to limit traffic by IP addresses:

iptables -A INPUT -s $hostIP -p tcp -i eth0 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -d $hostIP  -p tcp -o eth0 -m state --state ESTABLISHED -j ACCEPT

Note that these are essentially your existing rules, with the --dport and --sport options removed.

Best Answer

Related Solutions

Make Firewall rules for Passive FTP which uses dynamic port

Related Question