Thursday, November 4, 2010

UFW Block outgoing traffic

I prefer to block outgoing traffic by default on public facing servers. I see a lot people being flamed for even asking how to do this with UFW.

The main reason you would want to do this is to prevent your machine from making reverse shell connections. A lot of attacks involve targeting a vulnerable web application that has a remote code execution vulnerability. If this attack was successful, the attacker could then download remote content to your machine or make a reverse shell connection, giving them shell access to your machine.

By blocking all outgoing traffic, you can prevent them from gaining remote access to your machine.

To do this with UFW:
ufw default deny outgoing
You can then allow individual outgoing ports if necessary. For example, you'll probably want to allow DNS queries to your name servers.
ufw allow out to 8.8.8.8 port 53
Where 8.8.8.8 is the address of the name server. This allows traffic from any local IP on the machine to your nameserver on port 53.


1 comment:

Brinley Ang said...

it should be

ufw default deny outgoing