outbound ports that are always open

networking internet firewall port

What are some ports that can NEVER be blocked outbound in firewalls, as doing so will stop basic internet use? Some I can think of are: port 53 udp/tcp -- dns, blocking this will prevent users accessing any domain port 80 tcp - http port 443 tcp - https Are these all, and are these ports ALWAYS accessible outbound on every host connected to the internet?


There are no ports that need to be opened for full access in your outbound firewall rules.

Why? Because by proxying requests we can achieve the same thing, except with more control.

The three most common:

  • HTTP proxy (so you can close port 80 and 443)
  • Internal DNS servers (proxy requests to the outside world)
  • Internal Mail server (relays incoming and outgoing mail to the world)

Then you simply setup your firewall to allow connections from the IPs associated with the machines running these services ONLY.

Basically, it's a subjective question with no real right answer.


Wow, this is a question that has a somewhat broad and complicated answer.

  1. Hosts are not typically connected "directly" to the internet. They usually sit behind a firewall\router of some sort.

  2. Outbound ports are not open on a host unless the host has an active connection to another host.

  3. Hosts don't connect FROM port 80, port 443, etc. they connect TO port 80, port 443, etc.

  4. The ports you referenced are inbound ports on the destination host. the outbound port on the source host is a random port, selected from the ephemeral port range.

  5. You technically don't need to open any outbound ports on your firewall. If you wanted to isolate your network from the internet you would block all outgoing traffic.

  6. Firewalls usually have what's called an "ANY ANY" rule for outbound traffic, meaning any outbound traffic coming in to the internal interface of the firewall (local LAN) is not restricted and the return traffic is not restricted.

  7. Web servers listen for INCOMING connections on port 80. DNS servers listen for INCOMING connections on port 53, etc. These are inbound ports, not outbound ports.


It is worth noting that ports do not have to be fully open or closed. A firewall might allow the standard DNS related ports through only to local DNS servers for instance, or a transparent proxy may capture connections and only forward the on to the final destination if the protocol is right (this could, for instance, stop you using port 80 for outgoing P2P connections without blocking normal HTTP traffic - though it would not on its own stop you trying to use a HTTP->P2P proxy).

You can not guarantee any port will be open, or if you find it to be open in some cases it may not be open to all communication attempts even from the same location.

Ubiquitous as HTTP is, it is not entirely impossible that you will find environments where HTTP(S) is not permitted but other protocols are.

Related

Stopping pushers from breaking my central Mercurial repository [closed]
Does the userPrincipalName (UPN) attribute always exist in Active Directory?
Upgrading multiple Debian servers at once
CentOS default ssl.conf file
nginx with real_ip -- log both client remote_addr and proxies address
Mount XFS partition with < 4k block size
If a raid controller changes, are the drives still usable without re-formatting? [closed]
Let Postfix handle spam in two ways
Is a 'high' IO rate healthy?
Ubuntu server ext4 hitting 65000 subdirectory limit
Why httpd graceful restart takes such a long time?
Can I prevent an Active Directory account from locking out?