How to block outgoing ports?

I wanna close ALL outgoing ports except 443, 123, 853. How to block ALL except these ones?

Why: to avoid abuse of my network as much as possible.

Will this be a good idea? I use my Fedora only for home usage, and I wanna mitigate potential exploits

Welcome to the community @krish! You can use a firewall to block everything but those ports, but outgoing isn’t where you want to block traffic. It’s the open incoming ports that should be a concern. UFW does a pretty good job of blocking unneeded ports.

Hmm. That’s interesting. I had idea to block both directions to guarantee that for example something won’t fallback to plain http (for example some app) where http can be easily intercepted and modified to be harmful.

Or for ex port 53, which allows ISP to spy and modify queries (some programs still use 53, even if resolved.conf or stubby configured to DOT).

Or NTP, which often used even with chrony which configured to use NTS…

This is from “better safe than sorry”.

I also have Flint 2 (Gl.iNet, OpenWRT), so I can close ports there.

But for now there is more important questions: how likely i will break something critical (that’s why I want to test on my own machine first, without causing headache to my homemates) and how effective thos approach as mitigation?

All incoming already set to “DROP” on both levels: router and pc

Welcome to the forums! Fedora still uses Firewalld so try this:

sudo firewall-cmd --permanent --zone=public --set-target=DROP
sudo firewall-cmd --permanent --add-rich-rule='rule family=ipv4 port port=443 protocol=tcp accept'
sudo firewall-cmd --permanent --add-rich-rule='rule family=ipv4 port port=123 protocol=udp accept'
sudo firewall-cmd --permanent --add-rich-rule='rule family=ipv4 port port=853 protocol=tcp accept'
sudo firewall-cmd --reload

Note that the --set-target=DROP affects inbound for the zone, not outbound. Firewalld defaults to allowing outgoing traffic, so this won’t actually block all outgoing ports.

Second, yes, this will likely break DNS unless they are explicitly using DoT on 853 and not standard port 53.

Blocking all outgoing ports requires additional rich rules or direct rules.

You could run something like pfSense on a Raspberry Pi or something better for that layer of added control, as well as IDS/IPS and alerting.

Also see: pfSense Firewall 2.8: Install & Config – Settings Walkthrough

My work Linux PC has no outgoing ports blocked. Only incoming. Generally you want to block out going on guest networks and guest devices at least on desktop.