Outbound firewall rules

Hello All,

Does anyone have any recommended outbound firewall rules to prevent things like port scan, DDoS etc?

I understand these should usually dealt with using policy and by tracking and reprimanding the user, however if we did want to try to mitigate it with a firewall any recommendations?

2 Replies


Do you have any insight you can share here?

I'm a heavy user of blacklists… My blacklists block in-/outbound traffic from/to the blacklisted hosts/networks. This is about the only foolproof way I've figured out to do this reliably.

I did find this:


It uses a hits-per-time-period method to determine that a portscan is underway but it still depends on an ipset(1) to hold the hosts/networks subject to the rule (i.e. a blacklist). If you're going to go through the trouble of creating a blacklist, the hits-per-time-period idea seems somewhat superfluous to me, IMHO.

I also found these:

This technique also depends on a list of networks/hosts subject to monitoring.

Again…lists… This time of rules…

I've read several mentions of people using psad (http://cipherdyne.org/psad/) and snort (https://www.snort.org) to do this as well. I haven't investigated either of them in any great detail…

As for DDoS attacks, I believe Linode monitors for those and protects your domain from them. I don't know how they do that.

-- sw


Please enter an answer

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct