Should a web server's firewall block outbound HTTP traffic over port 80?

Question

I understand the need for putting a web server in a DMZ and blocking inbound traffic to all ports except 80 and 443. I can also see why you should probably also block most outbound traffic in case the server is compromised.

But is it necessary to block outbound HTTP traffic over port 80? If so, why? A lot of web applications these days rely on sending/retrieving data from external web services and APIs, so blocking outbound traffic over port 80 would prevent this capability. Is there a security concern that's valid enough to justify this?

Answer 1

The only reason I can think of is if your machine is somehow compromomised remotely then it won't be able to DDoS another website on port 80. It's not something I normally do though.

Answer 2

Rather then blocking it, throttle it. Use iptables -m limit.

Answer 3

I have several web apps that invoke external web services, so I would say it's a bad idea to block output HTTP traffic. If you're concerned with security, you could block it and allow for only certain destinations.

Answer 4

Depending on your SQL version, you could have certificate authentication time out issues with SQL server 2005.

Answer 5

First - I agree with @vartec on throttling "Rather then blocking it, throttle it. Use iptables -m limit" as at least part of the solution.

However I can offer another reason to not block port 80 outbound at all times. If you have automatic security updates turned on the server can't reach out to PPAs over port 80 to initiate a security update. Thus if you have automatic security updates set up they won't run. On ubuntu auto-security updates are turned on in 14.04 LTS with:

 sudo apt-get install unattended-upgrades update-notifier-common && \
 sudo dpkg-reconfigure -plow unattended-upgrades
 (then select "YES")

More graceful solutions would be ansible scripts opening the port automatically, possibly also modifying an AWS security group rule via the CLI in addition to iptables if you are at AWS. I prefer modifying my outbound rules temporarily via AWS CLI initiated by a stealth box. This forces logging the update up in my AWS S3 log buckets but never shows up in the logs on the server itself. Further the server that initiates the update doesn't even have to be in the private subnet ACL.

Maybe do both? You have to figure at times an attack is going to relay off an internal IP in your subnet so there is merit to doubling down while preserving the ability to automate backups and security updates.

I hope this helps. If not reply and provide more code examples to be more specific and exact. #staysafe !

Answer 6

If the machine is compromised and outbound traffic on port 80 is allowed, it would make it easier for intruders to send back harvested data to themselves. Allowing outbound traffic means you can initiate a connection from your machine to the outside world. A better approach would be allowing outbound traffic only to certain web sites/addresses that you trust (i.e. Microsoft Windows Update, Google reCAPTCHA) rather than any destination in the world.

Answer 7

what do you mean with blocking outbound traffic over port 80.

You have two possibilities. Gernerate Dynamic Rules which allow communication from client to your webserver for this session. Search for Stateful firewall rules.

Or you generally allow established Connections to communicate in and outgoing with each other.

If you generally block all outbound traffic over Port 80 your Webserver could not reply to any client.

The other way around, if your Webserver needs to get some API, e.g. a jquery library he wont use port 80 as his Port to communicate with the Webserver who holds the API.

Your Webserver would normally choose a port > 1024 and use it for his request to get the API from the remote Server.

So blocking all traffic over port 80 (as your port you connecting from) would not prevent your Server from sending any requests for apis and such things. because he doesnt use port 80 when he acts as a client.