Lots of good answers here but I’ll toss in my own “figure out what you need” experience from my first firewall funtime. (Disclaimer: I used nftables – it should be similar to ufw in terms of defaults though).
- Right off the bat, everything unneeded was blocked. I “needed” no configuration, except for maybe…
- Whatever CUPS runs on (when I use it)
- Sometimes I ran
python -m http.server
– I unblocked port 8000 for personal use. - I chose to unblock port 53 (DNS). I wanted to connect to another computer via hostname IIRC (e.g. connecting to raspberry-pi.local. I might be misremembering this though).
- At one point I played with NGINX – that’s port 80 (HTTP) and port 443 (HTTPS).
- SSH was already permitted (port 22 – you need root access to enable traffic through ports below 1024 anyway so this wasn’t an issue for running typical apps)
I didn’t use WireShark back then, really. I think I just ran something like
sudo lsof -nP -iTCP -sTCP:LISTEN
which showed me a bunch of port traffic (mostly just harmless language servers).
You don’t have to dive to deep into all the “egress” and “ingress” and whatnot unless you’re doing something special. Or your software uses a weird port. (LocalSend lol)
Not fishy at all! It’s like a lockpicking fan asking about locksport.
If you’re looking for examples, GitHub has a lot of CVE proof-of-concepts and there are lots of payload git repos across git hosts in general, but if you’re looking for a one-stop-shop “Steal all credentials,” or “Work on all OSes/architectures just by switching the compile target,” then you’ll have a harder time. (A do-one-thing-well approach is more maintainable after all.)
If you want to make something yourself that still tries to pull off the take-as-much-as-you-can, you should just search up how different apps store data and whether it’s easy to grab. Like, where browsers store their cookies, or the implications of X11’s security model (Linux-specific), or where Windows/Windows apps’ credentials and hashes are stored. Of course, there’s only much a payload can do without a vulnerability exploit to partner with (e.g. Is privilege escalated? Are we still in userland? is this just a run-of-the-mill Trojan?).
Apologies if my answer is too general.