What Is Egress Filtering On A Firewall?

Firewall egress filtering is a technique that protects your network from malicious traffic. It helps to prevent unauthorized access to resources outside the local network, such as the Internet or another internal network.

Firewall egress filtering can be used to protect against

Malware that attempts to spread itself through an infected computer on the Internet
Malware that attempts to spread itself through an infected computer on another internal network
Malware that attempts to spread itself through email attachments sent by users with compromised accounts

When you use this type of filtering, you’re protecting yourself from both internal and external attacks. For example, if someone were to hack into your system and try to send malicious code or data out onto the Internet, they would be unable to do so since the firewall would block any attempt based on how you configure your outbound filtering.

Does My Firewall Support Egress FIltering?

Most business-grade firewalls support egress filtering. By default, most firewalls come out of the box configured to let all traffic out and minimal traffic in. This is for convenience because if your firewall came out of the box with DENY * rules in the default running configuration, it would be troublesome for admins who don’t have protocol-level knowledge of internet traffic.

List Of Hardware Firewall ManufacturersThat Support Egress Filtering:

Cisco ASA
Palo Alto Networks
Fortinet
Juniper Networks
Check Point
SonicWall
WatchGuard

In addition to hardware firewalls that have some level of egress filtering, there are also numerous software-based firewalls that also support egress filtering.

List Of Software Firewalls That Support Egress Filtering:

Windows Defender Firewall – The default firewall that comes pre-installed with Microsoft Windows since Windows XP SP2.
iptables – Like Windows Defender Firewall, but comes pre-installed on most Linux distributions.
MacOS Firewall – Like iptables and Windows Defender Firewall, this comes pre-installed with MacOS out of the box (Based on pf – which is a UNIX native software-based firewall
firewalld – Like iptables, this comes pre-installed with some distributions of Linux like CentOS, Fedora and Red Hat Enterprise Linux.

All the firewalls mentioned above (hardware and software) support egress filtering in one form or another.

What Are The Different Types Of Egress Filtering?

There are a few types of egress filtering. It largely depends on the vendor (hardware or software), as they have different offerings that makes them competitive with one another, but the two that we are going to focus on in this post are:

Stricly Rules Based – These are based on the rules in your firewall rule chain that don’t depend on deep packet inspection or other next-gen technologies. This is egress filtering based on the most basic unit of firewalling.

Next-Gen Filtering– these filters use deep packet inspection, specialized software, and specially designed ASIC chips to filter based on signatures. These are on the hardware-based firewalls we mentioned in the previous list farther up the page.

Since we are focusing on the basics, we are going to focus on implementing egress filtering based strictly on rules since every manufacturer handles the Next-Gen stuff differently, and that is a post for another day.

How Do I Implement Egress Filtering On My Network?

We will focus on an everyday use case where egress filtering should be applied, with general assumptions based on what we see in the field.

Example Scenario – Your network uses an active directory on-prem for authentication. You have a website that an outside provider hosts. Some of your users have VPN access to the network itself. Your network is split into 3 VLANs. You have a wireless network for company-owned equipment and a separate network for mobile devices. Email is hosted in Office 365.

In this scenario, all the most dangerous traffic (website and email) is hosted off-prem. Still, internally, you want to make sure that everything is sealed up in a way that devices can talk to their respective gateways and authentication servers without being totally open.

Here is how we would set that up:

On the corporate network, you’ll want to enable only necessary services for the workstations to talk to the servers. Those services are:

Workstation to Server
- RPC (TCP 135)
- RPC Dynamic (TCP/UDP 49152-65535)
- Kerberos (TCP 88)
- LDAP (389)
- DNS (53)
- SMB (445)
- Add workstation and server IP’s as objects in your firewall, only known trusted devices are allowed to talk on these ports to the servers.
- NTP (UDP 123)
- Workstations should only talk to the internet and the servers. Workstations should not be able to talk to each other.
Server to Server
- Match the rules above.
- Deny access to all other networks that the servers don’t need to talk to
Server to WAN
- Servers should be able to talk to Microsoft and other software vendors for updates only. These servers should never be able to talk to the internet beyond software updates.
Mobile Device Wireless Network
- HTTP (TCP 80)
- HTTPS (TCP 443)
- DNS (UDP 53)
- NTP (UDP 123)
- DENY access to all other internal networks
VPN Tunnel
- VPN tunnel should only allow necessary ports for authentication and only be allowed to talk to the resource that is being made available over the VPN. This can be set on an individual user basis by assigning users static IP’s within the tunnel.

If a host should become infected, rules like this can contain the spread. Keeping servers away from the internet except in cases of software updates is ideal because this can preclude an attacker from easily exfiltrating data or talking back to a C2 (Command and Control) server.

Scenario 2 – Your network relies on cloud connectivity. The network uses Office 365 for email, SharePoint Online, and Azure AD.