Outbound firewall rules
Hello All,
Does anyone have any recommended outbound firewall rules to prevent things like port scan, DDoS etc?
I understand these should usually dealt with using policy and by tracking and reprimanding the user, however if we did want to try to mitigate it with a firewall any recommendations?
2 Replies
I'm a heavy user of blacklists… My blacklists block in-/outbound traffic from/to the blacklisted hosts/networks. This is about the only foolproof way I've figured out to do this reliably.
I did find this:
https://offensivesecuritygeek.wordpress.com/2014/06/24/how-to-block-port-scans-using-iptables-only/
It uses a hits-per-time-period method to determine that a portscan is underway but it still depends on an ipset(1) to hold the hosts/networks subject to the rule (i.e. a blacklist). If you're going to go through the trouble of creating a blacklist, the hits-per-time-period idea seems somewhat superfluous to me, IMHO.
I also found these:
This technique also depends on a list of networks/hosts subject to monitoring.
Again…lists… This time of rules…
I've read several mentions of people using psad (http://cipherdyne.org/psad/) and snort (https://www.snort.org) to do this as well. I haven't investigated either of them in any great detail…
As for DDoS attacks, I believe Linode monitors for those and protects your domain from them. I don't know how they do that.
-- sw