In computer networking, egress filtering is the practice of monitoring and potentially restricting the flow of information outbound from one network to another. Typically it is information from a private TCP/IP computer network to the Internet that is controlled.
Egress filtering helps ensure that unauthorized or malicious traffic never leaves the internal network.
In a corporate network, typical recommendations are that all traffic except that emerging from a select set of servers would be denied egress. Restrictions can further be made such that only select protocols such as HTTP, email, and DNS are allowed. User workstations would then need to be configured either manually of via proxy auto-config to use one of the allowed servers as a proxy.
Edge networks, whether multi-homed or not, usually have a limited number of address blocks in use. Such edge networks typically filter packets leaving their networks, verifying that the source IP address in all packets is within the allocated address blocks. The purpose is to prevent computers on the network from IP address spoofing.
Egress filtering may require policy changes and administrative work whenever a new application requires external network access. For this reason egress filtering is an uncommon feature on consumer and very small business networks.
PCI DSS, requires egress filtering from any server in the card holder environment. This is seen in PCI-DSS v1.2, sections 1.2.1, and 1.3.5.