HACKER Q&A
📣 samwillis

In light of Log4J why don’t we use outbound firewalls?


With the Log4J vulnerability it got me thinking out how to secure my apps from similar problems in the future. I already use a WAF such as CloudFlare as an inbound firewall, but what I want is an outbound firewall, like Little Snitch.

Also, when building with un-curated package managers such as NPM and PyPi, it’s virtually impossible to audit all dependencies. We now regularly hear news of packages being replaced with backdoored versions makes me very nervous. These could make outbound connections to exfiltrate data with not outside input.

I would love it if PAASs (with I prefer) such as Heroku and Fly.io had configurable outbound firewalls. Being able to whitelist what outbound connections were aloud would help enormously, even though it would not solve all potential exploits.

Does anyone know of one (I can’t find one)? Why do PAAS (and to some extent IAAS) not have this functionality built in?

(Obviously with your own infrastructure this is possible with normal firewalls)

  👤 elesiuta Accepted Answer ✓
I actually just spent the last few months working on a new program called picosnitch that does almost exactly what you're looking for. And as you can probably tell from the name, it was inspired by Little Snitch.

It watches your system for new executables that connect to the internet, and notifies you whenever it detects the first connection from one, or when the hash changes for one it has seen before. It can also automatically check the hashes with VirusTotal. And unlike any of the other existing tools (that I know of), it can also properly detect connections from executables inside containers, although the reported exe path may be useless due to namespaces, it will still give you the correct hash.

However, where it is lacking when compared to Little Snitch is that it does not block anything, since I wanted to focus on doing performance and reliability really well, and my time is finite. Although I am open to making it easier to use in conjunction with something like fail2ban or your own custom scripts, modularity is a good thing.

I just recently got this program into a state where I feel it is ready to share, so I'd really appreciate any feedback, and am happy to discuss it further.

👤 LinuxBender
I've seen a few Linux implementations of something like Little Snitch but I would not consider any of them production datacenter ready. A balanced approach might be to do something as simple as using the "owner" module in iptables to create rules saying what service accounts on your servers are permitted to talk outbound and to where and on what ports. This example does not limit by application but you can deploy your applications to use different service accounts accomplishing essentially the same thing.

Mail server example:

  iptables -I OUTPUT -o eth0 -m owner --uid-owner postfix -p tcp --syn --dport 25 -j ACCEPT
To answer your question, here is a desktop firewall for Linux that operates like Little Snitch [1] This is not meant to be used in your server deployments.

[1] - https://github.com/evilsocket/opensnitch

👤 toast0
I've used outbound firewalls and it's painful. Your provider for some API changes IPs for whatever reason and now you need to change your firewall, etc.

If you use an outbound http/socks proxy, it's a bit more tenable. You can set rules based on hostnames, but you're also on the hook for running a production proxy cluster. Hopefully you don't need outbound UDP.