I wanna close ALL outgoing ports except 443, 123, 853 to avoid potential abuse or exploiting of my network as much as possible.
Will this be a good idea? I use my Fedora only for home usage, and I wanna mitigate potential exploits
I had idea to block both directions to guarantee that for example something won’t fallback to plain http (for example some app) where http can be easily intercepted and modified to be harmful.
Or for ex port 53, which allows ISP to spy and modify queries (some programs still use 53, even if resolved.conf or stubby configured to DOT).
Or NTP, which often used even with chrony which configured to use NTS…
This is from “better safe than sorry”.
I also have Flint 2 (Gl.iNet, OpenWRT), so I can close ports there.
But for now there is more important questions: how likely i will break something critical (that’s why I want to test on my own machine first, without causing headache to my homemates) and how effective this approach as mitigation?
All incoming already set to “DROP” on both levels: router and pc
Likely, and see above answer. Also, if you have any plans to implement this at the router level, then your homemates may be denied access to critical ports used in their (mobile) operating systems.
Very good start!
The rest comes down to monitoring various things and see if they’re broken or not.
Might be a long way to go to narrow down all of the possible legit ports that should be open but it’s kinda trial and error at this point. Otherwise some blog post or LLM could maybe give you a top 20/50 of the most popular ones that could be kept open.
Blocking outbound ports while allowing 443 is security theater. The effective way to mitigate exploits is by segmenting traffic and devices at various levels (VLANs, virtual machines, application containers). For DNS, you could run your own server and enforce DNSSEC to ensure that responses to DNS queries are authentic and have not been tampered with. This will also bypass most forms of censorship by ISPs (relevant in Europe and some other places where governments coerce ISPs into censorship of piracy and other activities).
