Egress filtering

Below is info from a really old internal doc I kept at one of my past jobs, but it gave our customers some ideas for traffic they might want to filter on their egress Internet connection to keep potentially bad stuff away.

Traffic you probably want to completely block headed outbound

MS RPC – TCP & UDP port 135
NetBIOS/IP – TCP & UDP ports 137-139
SMB/IP – TCP port 445
Trivial File Transfer Protocol (TFTP) – UDP port 69
Syslog – UDP port 514
Simple Network Management Protocol (SNMP) – UDP ports 161-162
Internet Relay Chat (IRC) – TCP ports 6660-6669

Traffic you probably want to allow to/from only specific hosts

SMTP – allowed outbound from only the mail server/smarthost
DNS – allowed outbound only from specific hosts to specific upstream providers
NTP – allow internal hosts sync with domain controllers, and then allow only the domain controllers to sync to specific upstream hosts

Tools for checking egress filtering

Check out go-out.

Video demo

Here's a Tuesday TOOLSday video we did over at 7MinSec.club about testing for egress filtering:

References

https://www.sans.org/reading-room/whitepapers/firewalls/egress-filtering-faq-1059.

video Last updated on 2026-03-23