Outbound firewall rules
Does anyone have any recommended outbound firewall rules to prevent things like port scan, DDoS etc?
I understand these should usually dealt with using policy and by tracking and reprimanding the user, however if we did want to try to mitigate it with a firewall any recommendations?
I'm a heavy user of blacklists… My blacklists block in-/outbound traffic from/to the blacklisted hosts/networks. This is about the only foolproof way I've figured out to do this reliably.
I did find this:
It uses a hits-per-time-period method to determine that a portscan is underway but it still depends on an ipset(1) to hold the hosts/networks subject to the rule (i.e. a blacklist). If you're going to go through the trouble of creating a blacklist, the hits-per-time-period idea seems somewhat superfluous to me, IMHO.
I also found these:
This technique also depends on a list of networks/hosts subject to monitoring.
Again…lists… This time of rules…
As for DDoS attacks, I believe Linode monitors for those and protects your domain from them. I don't know how they do that.