Why block outgoing network traffic with a firewall?

Blocking outbound traffic is usually of benefit in limiting what an attacker can do once they've compromised a system on your network.

So for example if they've managed to get malware onto a system (via an infected e-mail or browser page), the malware might try to "call home" to a command and control system on the Internet to get additional code downloaded or to accept tasks from a control system (e.g. sending spam)

Blocking outbound traffic can help stop this from happening, so it's not so much stopping you getting infected as making it less bad when it's happened.

Could be overkill for a home network tho' as there's a lot of programs which make connections outbound and you'd need to spend a bit of time setting up all the exceptions.


Coming from a security role, particularly if you've ever been involved in incident response, the idea of outbound filtering would seem a natural course in a high security environment. However, it is a very large and complex undertaking. Mention the words "egress filtering" to a firewall, network, or systems administrator and you'll likely get this response.

enter image description here

So while we know that high security environments may need this, and would warrant the extra work, it can sometimes be difficult to get buy-in. Particularly when a unit whose primary duty is to maintain uptime is suddenly asked to take on a potentially significant amount of extra maintenance to accomplish something that has a high probability of reducing uptime.

In this case we would be remis to not mention the compliance angle. Let's look at the PCI-DSS v2.0 for a moment. Requirements section 1 discusses systems and network security. This one is relevant here:

1.3.5

Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet.

As much as we all like to talk about how "Compliance is a Starting Point" in the real world sometimes the only traction we can get is the goal of filling in that checkbox or passing that audit. Taking a look at compliance documents relevant to your field or service could be useful. While PCI-DSS is exclusively an industry requirement, agreed to by contract law, it is a fairly specific set of requirements that I have seen adopted as a standard to audit against in other places that have less well defined requirements.


Unless you block all outgoing traffic other than a whitelist of legitimate websites you visit (and/or use a proxy that does whitelisting and security scanning), there's little additional security to be gained from blocking all ports except 80/443. Well, blocking port 25 might be good to keep your network from being used to send spam.

Many botnets already communicate over HTTP to connect to their command/control network since they know that other ports may be blocked (some even use DNS as their command/control protocol). So if you're going to let your network connect to any HTTP server, then you're not giving yourself much additional protection from joining a botnet, and you'll continually run into problems when you try to run things that use other ports like VPN, video conferencing, online gaming, websites on non-standard ports, FTP, etc. And you'd really need to regularly audit the logs to look for signs of infection.

Probably not worth the hassle on a home network. You're probably better off spending your time in trying to prevent malware infection in the first place than in mitigating damage once you've been infected.