Which port should you left open for inbound and outbound for other Linux services to work properly?

Question

I am going to deploy a docker swarm (3 node: 1 manager 'frontend', 2 worker 'backend and db') with Security Groups for the VPC. I am planning to deny all inbound/outbound connection from the start.

The goal of deny all inbound connection

Reference: https://searchsecurity.techtarget.com/answer/Comparing-firewalls-Differences-between-an-inbound-outbound-firewall

Simply put, inbound firewall rules protect the network against incoming traffic from the internet or other network segments -- namely, disallowed connections, malware and denial-of-service (DoS) attacks.

The goal of deny all outbound connection

Reference: https://security.stackexchange.com/questions/24310/why-block-outgoing-network-traffic-with-a-firewall

Blocking outbound traffic is usually of benefit in limiting what an attacker can do once they've compromised a system on your network.

The current Security Groups rules

Inbound:

1. protocol tcp | port 22  | auth object ip address | description ssh

2. protocol tcp | port 80  | auth object 0.0.0.0/0  | description http

3. protocol tcp | port 443 | auth object 0.0.0.0/0  | description https

Outbound:

1. protocol udp | port 53  | auth object 0.0.0.0/0  | description dns lookup

2. protocol tcp | port 465 | auth object 0.0.0.0/0  | description smtp server

3. protocol tcp | port 587 | auth object 0.0.0.0/0  | description smtp relay service

4. protocol tcp | port 993 | auth object 0.0.0.0/0  | description imap server

This question popped up in my mind because one of the node is using CentOS and rely on chronyd (as Network Time Protocol client) which use protocol udp | port 123 to communicate to the NTP server. I decide to add it to the outbound Security Groups rules:

Outbound:

5. protocol udp | port 123 | auth object 0.0.0.0/0 | description NTP server

netstat output

I use $ sudo netstat -antupc to monitor connection, and I get SYN_SENT state for AliYunDun and aliyun-service service and BLANK state for chronyd service.

tcp        0      1 private ip address:34484    100.100.103.52:80       SYN_SENT    1912/AliYunDun
tcp        0      1 private ip address:47530    100.100.80.165:80       SYN_SENT    928/aliyun-service
udp6       0      0 ::1:323                 :::*                                666/chronyd

Which port should you left open for inbound and outbound connection for other Linux services to work properly?

Answer 1

Perhaps I'll be chastised by some more experienced person here, but in my opinion a general block on outbound traffic is a bit useless. I'll come back to this in a paragraph or two.

First of all: Local rules for outbound traffic are useless because if an attacker gains control of your server, they're in a perfect position to turn those rules off.

What can make a difference are a couple of things: A perimeter firewall can be configured, for example, to only allow outbound mail from defined mail servers, or to only allow outbound DNS queries from/to approved addresses. This may make a certain difference to your security.

Another way to greatly increase security is by applying microsegmentation between servers in your environment. This is usually achieved by putting some kind of firewall smack in the middle between your services. First you'll be monitoring network traffic between machines over a period of time. Once you've made an analysis of what's normal for your environment, you'll create policies to allow these necessary services, and block everything else. Commercial products like VMware NSX have built-in tools to help you in this process, but they're not cheap.

In this day and age, unless you have massive resources, you'll have a hard time identifying malicious outbound traffic from your machines to the Internet. It doesn't matter whether it's system updates or malware calling home to its control center, it'll generally look as https traffic, because that's what it is, and an old-school address-and-port firewall will not be useful for parsing headers or decrypting and analyzing packet contents.