Ingress and Egress Filtering

Usually, a network is placed behind a firewall that controls the permitted ingress (incoming) and egress (outgoing) traffic. Often, firewalls are also placed between different network segments (e.g., between different LAN segments or between different DMZs). Best practices recommend enforcing certain traffic filtering rules on a firewall. Developing and documenting those rules is demonstrated in the example network shown in Figure A-3.





Figure A-3 Example network

In Figure A-3, a firewall connects the DMZ and the office LAN to the Internet. When developing traffic filtering rules, the purpose and use cases of the different systems need to be defined:

• serverl serves as a web server.

• server2 serves as a mail server (receiving and sending email through SMTP).

• The office LAN is allowed to use the services as described, too, and it is allowed to perform remote logins on serverl and server2 and to retrieve email with POP3 from server2.

• serverl and server2 are allowed to synchronize their system clock with network time protocol (NTP).

• The office LAN is allowed to access web pages hosted on any server on the Internet.

• Those use cases can be used to define a traffic matrix, as shown in Table A-4.

One important thing to note is that the traffic matrix includes ingress (incoming) as well as egress (outgoing) traffic. Often, the egress filtering part will be forgotten. The conspicuous benefit of establishing egress traffic filtering becomes apparent in case one


server1 (

server2 (

world (

From world


80/tcp 443/tcp


server1 (


server2 (

123/udp 25/tcp

Office LAN (





80/tcp 443/tcp

Table A-4 Example Traffic Matrix

of the hosts has been successfully attacked or infected by a worm. Egress filtering makes it much more difficult for an attacker to use the owned hosts as a source for further attacks since they are not allowed to establish boundless outbound connections.

The defined traffic matrix serves as documentation and can be used to set up the traffic filtering rules. Linux has built-in packet filtering capabilities through the NetFilter framework, making it possible to use a Linux computer as a firewall. The iptables command is used to manipulate the traffic filtering rules and is the standard tool to manage the NetFilter framework. In addition, you can also use one of the available highlevel frameworks such as Shorewall or Firestarter, which greatly helps simplify the configuration process.

Was this article helpful?

0 0
The Ultimate Computer Repair Guide

The Ultimate Computer Repair Guide

Read how to maintain and repair any desktop and laptop computer. This Ebook has articles with photos and videos that show detailed step by step pc repair and maintenance procedures. There are many links to online videos that explain how you can build, maintain, speed up, clean, and repair your computer yourself. Put the money that you were going to pay the PC Tech in your own pocket.

Get My Free Ebook

Post a comment