Should a web server's firewall block outbound HTTP traffic over port 80?

views:

1537

answers:

+2 Q:

Should a web server's firewall block outbound HTTP traffic over port 80?

I understand the need for putting a web server in a DMZ and blocking inbound traffic to all ports except 80 and 443. I can also see why you should probably also block most outbound traffic in case the server is compromised.

But is it necessary to block outbound HTTP traffic over port 80? If so, why? A lot of web applications these days rely on sending/retrieving data from external web services and APIs, so blocking outbound traffic over port 80 would prevent this capability. Is there a security concern that's valid enough to justify this?

+5 A:

The only reason I can think of is if your machine is somehow compromomised remotely then it won't be able to DDoS another website on port 80. It's not something I normally do though.

Steven Robbins 2009-04-03 16:15:37

what do you mean with blocking outbound traffic over port 80.

You have two possibilities. Gernerate Dynamic Rules which allow communication from client to your webserver for this session. Search for Stateful firewall rules.

Or you generally allow established Connections to communicate in and outgoing with each other.

If you generally block all outbound traffic over Port 80 your Webserver could not reply to any client.

The other way around, if your Webserver needs to get some API, e.g. a jquery library he wont use port 80 as his Port to communicate with the Webserver who holds the API.

Your Webserver would normally choose a port > 1024 and use it for his request to get the API from the remote Server.

So blocking all traffic over port 80 (as your port you connecting from) would not prevent your Server from sending any requests for apis and such things. because he doesnt use port 80 when he acts as a client.

evildead 2009-04-03 16:21:01

I'm talking about allowing the web server to initiate outbound HTTP connections (port 80) to other servers on the internet. For example, you might have a PHP page that has a weather widget on it. That script would need to request the weather data from an external web service.

Richard Davies 2009-04-03 16:32:02

ah ok, I thought you mean blocking Port 80 as the initiating port.If you block this, then you cannot load apis and such thing from other pages. You can probably add some Sites you trust in to your rules.But I would say blocking Port 80 generally makes not much sense.

evildead 2009-04-03 16:36:48

from an other point of view, if your server gets hacked and you block that traffic it can`t load abituary code from other sites. But who garantees that the hacker/robot/whatever is using port 80 for his request :)

evildead 2009-04-03 16:39:04

Rather then blocking it, throttle it. Use iptables -m limit.

vartec 2009-04-03 16:36:56

I have several web apps that invoke external web services, so I would say it's a bad idea to block output HTTP traffic. If you're concerned with security, you could block it and allow for only certain destinations.

Adam Crume 2009-04-03 16:38:10

A whitelist is a good suggestion, but it won't work with OpenID, which requires that the web server be able to request any URL used as an OpenID.

Richard Davies 2009-04-03 16:51:51

Not only that, it won't work with any website that ever changes IP address. That's how the firewall that I need to request changes for works - at the IP level, not the domain level (I take it this is for efficiency purposes?) It's a real pain since some IPs change a lot.

Bobby Jack 2009-04-06 16:08:36

Also, won't there always be some service that could, conceivably, be used to DDOS another host? For example, on my outbound-HTTP-locked-down host, ping can still contact any host.

Bobby Jack 2009-04-06 16:11:16

Depending on your SQL version, you could have certificate authentication time out issues with SQL server 2005.

Dave 2009-04-03 17:48:24

ansaurus

tags:

views:

answers:

Should a web server's firewall block outbound HTTP traffic over port 80?

related questions