I don’t like running systems I don’t understand. By default, most desktops allow all outbound traffic and only worry about inbound filtering. That model assumes trust. I wanted visibility and control. So I flipped the model: deny all outbound traffic and explicitly allow only what I use. The goal wasn’t paranoia — it was clarity. If something leaves my machine, I want to know why.
UFW Setup and Egress Hardening (Arch Linux)
Install UFW
Install UFW for Debian / Ubuntu
1
2
| sudo apt update
sudo apt install ufw
|
Install UFW for Fedora
Install UFW for Arch
Enable and Start Service (Persist at Boot)
1
2
| sudo systemctl enable ufw.service
sudo systemctl start ufw.service
|
Verify:
Expected:
1
| Active: active (exited)
|
Switching to a deny-by-default egress policy immediately exposed how much background noise a modern Linux system generates. Multicast discovery, broadcast traffic, QUIC, IPv6 chatter — constant activity that most users never see. The important part wasn’t blocking it; it was understanding it. This exercise forced me to separate necessary traffic from convenience traffic and build a firewall policy based on intent rather than defaults.
Switching outbound traffic to deny immediately exposed how noisy modern systems are. Multicast DNS (5353), SSDP (1900), broadcast traffic, IPv6 chatter, QUIC (UDP 443), and ICMP requests were constantly generated. Most of it was background discovery traffic, not functional breakage.
4. Set Secure Defaults
1
2
| sudo ufw default deny incoming
sudo ufw default deny outgoing
|
4️ Allow Core System Ports (Minimal Internet Functionality)
DNS:
DNS over TLS:
1
| sudo ufw allow out 853/tcp
|
mDNS:
Spotify uses this for discovery of local devices on the LAN
1
| sudo ufw allow out 5353/udp
|
HTTP:
1
| sudo ufw allow out 80/tcp
|
HTTPS:
1
2
| sudo ufw allow out 443/tcp
sudo ufw allow out 443/udp
|
NTP:
1
| sudo ufw allow out 123/udp
|
5 Enable Firewall Rules
1
2
| sudo ufw enable
sudo ufw reload
|
6 Optional: Logging for Visibility
1
| sudo ufw logging medium
|
Check blocks:
1
| journalctl -xe | grep UFW
|
Final Allowed Outbound Ports
| Port | Protocol | Purpose |
|---|
| 53 | TCP/UDP | DNS |
| 853 | TCP | DNS over TLS |
| 80 | TCP | HTTP |
| 443 | TCP | HTTPS |
| 443 | UDP | QUIC |
| 123 | UDP | NTP |
| 5353 | UDP | Multicast for Spotify |
A properly configured firewall does not require opening ephemeral port ranges. Allowing destination service ports (e.g., 443/tcp) is sufficient because RELATED and ESTABLISHED traffic is automatically permitted.
For a functional hardened desktop, I allowed only core ports (53, 853, 80, 443 TCP/UDP, 123) and then later added 5353/UDP for spotify discovery. Everything else remained blocked without impacting usability.
This great expirment clarified how outbound control differs from inbound filtering and demonstrated that a deny-by-default egress model is viable on a modern desktop with measured adjustments.
I learned so much about what each application on my computer was doing and what i needed to be aware of. I want to know all telemetry going out of my machines and what I am allowing.
