Firewall Configuration¶
This document outlines the required Firewall configurations to ensure proper connectivity between your infrastructure and Escape's security testing platform.
Ingress Rules (Incoming Connections)¶
Public Locations¶
By default, all security testing requests from Escape are routed through Public Locations in your organization. To allow incoming traffic from Escape's Public Locations, allowlist the following IP addresses in your Firewall configuration:
| IP Address | Region |
|---|---|
163.172.177.16 | Europe |
163.172.182.228 | Europe |
163.172.182.47 | Europe |
163.172.178.115 | Europe |
163.172.174.61 | Europe |
163.172.168.233 | Europe |
51.79.24.70 | Canada |
51.79.25.196 | Canada |
51.79.26.185 | Canada |
172.235.52.11 | United States |
172.235.52.232 | United States |
172.236.242.86 | United States |
23.22.140.167 | Connectivity Checks |
Private Locations
Alternatively, you can deploy Private Locations to route requests through your own network infrastructure. Private Locations enable secure detection, fingerprinting, and scanning of internal applications behind your organization's Firewall or VPN without exposing them to the public internet.
Egress Rules (Outgoing Connections)¶
Required for Private Locations and Out-of-Band Testing¶
To enable Private Locations and Out-of-Band Testing capabilities (to detect vulnerabilities like SSRF), ensure that outgoing connections are allowed to the following endpoints:
| Purpose | Address/Domain | Protocol | Port(s) |
|---|---|---|---|
| Private Location Tunnel | 34.198.143.22 | SSH | 2222 |
| Private Location Tunnel | 52.6.14.96 | SSH | 2222 |
| Private Location Tunnel | private-location.escape.tech | TCP | 2222 |
| Out-of-Band Testing | 51.159.205.221 | HTTP | 80 |
| Out-of-Band Testing | 51.159.205.221 | HTTPS | 443 |
| Out-of-Band Testing | ssrf.tools.escape.tech | HTTP | 80 |
| Out-of-Band Testing | ssrf.tools.escape.tech | HTTPS | 443 |
IP-Based Firewall Rules
If your Firewall requires specific IP addresses instead of domain names, use nslookup private-location.escape.tech to retrieve the current IP addresses.
Verifying Firewall Configuration¶
To verify that your Firewall is properly configured, run the following connectivity tests from your internal network:
Test Private Location Connection¶
Expected Result: The output should include debug1: OpenSSH_10.0p2, OpenSSL 3.4.1 11 Feb 2025 or similar version information, indicating successful SSH connectivity.
Test Out-of-Band Testing Endpoints¶
Expected Result: Both commands should return an HTTP response (any status code indicates successful connectivity). If either command times out or fails to connect, the corresponding protocol (HTTP or HTTPS) requires additional Firewall configuration.