One of the many things I’ve been doing on my firewall is locking down outgoing protocols.

The challenge with egress filtering is trying to identify all the legitimate outgoing traffic that you want to allow.

A quick way to identify the traffic is to have your outgoing firewall rule set to log. Hopefully you are sending those firewall logs to Splunk or something similar.

In Splunk you simply need to search the logs for the specific firewall host and then click on “dst_port” in the “Interesting Fields” pane and you get your Top 10 outgoing ports.

You can now use this port list in your restricted outgoing firewall instead of just allowing everything out to the internet.

The other exercise you can do with this is to click on the ports listed, especially if you don’t know what they are being used for, and investigate.

You are sure to find some unexpected ports being used that you had no idea about.

Enjoy.