Should a web server's firewall block outbound HTTP traffic over port 80?

Richard Davies picture Richard Davies · Apr 3, 2009 · Viewed 17.8k times · Source

I understand the need for putting a web server in a DMZ and blocking inbound traffic to all ports except 80 and 443. I can also see why you should probably also block most outbound traffic in case the server is compromised.

But is it necessary to block outbound HTTP traffic over port 80? If so, why? A lot of web applications these days rely on sending/retrieving data from external web services and APIs, so blocking outbound traffic over port 80 would prevent this capability. Is there a security concern that's valid enough to justify this?

Answer

Steven Robbins picture Steven Robbins · Apr 3, 2009

The only reason I can think of is if your machine is somehow compromomised remotely then it won't be able to DDoS another website on port 80. It's not something I normally do though.