What is the purpose of filtering egressing traffic (CSF)?

Question

For a while now I am using CSF as main firewall with LFD, and OSSEC as main IDS. (I like OSSEC over the overreacting builtin IDS of CSF).

I tested it for small DoS attacks such a slowloris variants and synfloods. Works fine. Apache is running with mod_security and mod_evasive. Works fine.

In the backend audit is watching my password files for changes and I have Clam AV running as main AV together with LMD (linux malware detect) running at nighttime. LSM is is monitoring port activity of all daemons.

the only internet-accessible services that are running on the server are a TOR-relay (non exit), Apache and SSHD.

Question: Why should I filter egressing traffic from my server with CSF?

I cannot find any advantages other than managing which traffic is allowed to exit my server. Since I have no other users using my server and hackers/crackers could simply use any of the open exiting ports 22,80,443,9001,9030,9595 to exit my server; why filter it?

meta: Centos 64b, LMD, Audit, CSF, LFD, OSSEC HIDS, ClamAV, LSM

P.S: I forgot to mention why I am posing this question: Clamd wants to update regularly and it seems that I can't set the outgoing port.

Answer 1

The reason to filter egress traffic (with CSF or anything else) is to reduce your security risk profile. This is especially important in high security threat environments, for instance, a shared web hosting server, where you don't have complete control over what software users install.

In such an environment, if a user installs a vulnerable piece of software which allows an attacker to execute arbitrary code on your server, with a default deny security philosophy, filtering egress traffic limits what the attacker is able to do. For example, while you may have some open ports, if egress 25/tcp is blocked, an unprivileged user on your box can't email spam without going through the MTA on the server.

In your particular case you have to decide if the amount of effort required to move your firewall configuration toward a default deny security philosophy is worth your time.