Firewall bouncer: blocking outgoing traffic?

ne20002 · January 30, 2023, 8:33am

As far as I see, the firewall bouncer block incomming traffic. I wonder if it is a good idea to check outgoing traffic as well?

Scenario: devices in the network my be compromised and use outgoing connections to a command and control server (as many trojan do).
Blocking those requests may be a use case. As CrowdSec is providing the local installation with community locklist this would be the way to get the IPs to block. It would require CrowdSec to include such IP addresses into the blocklists.

Do we have something like that?

iiAmLoz · January 31, 2023, 9:13am

It has been asked before and some users are doing this on opnsense. I haven’t tried to see if it can be done via the firewall bouncer.

The only prefix I would say is our IP’s are doing attacks and not really being used for C&C servers, however, it doesn’t take a second for an IP to switch but if they use already tainted servers it easier to detect via reputation.

Topic		Replies	Views
Newbie with CrowdSec crowdsec	2	702	April 30, 2021
Unblock IP from Firewall Bouncer	1	2696	November 22, 2022
Status on Pfsense plugin? crowdsec	1	2953	September 7, 2022
Working with two bouncers crowdsec	1	855	September 7, 2022
Blocked DDoS Metrics crowdsec	2	701	October 1, 2022

Firewall bouncer: blocking outgoing traffic?

Related Topics