Five firewall rules every SME should have in place today

The firewall is the most-quoted, least-understood piece of equipment in a small or mid-sized business network. Every vendor will sell you one. Most installers will configure it the way they always do — open enough to not get support calls, with little thought given to what should actually be allowed in or out. The result is a piece of hardware that looks like security but functions more like a doorstop.

You don't need a security operations centre to do this properly. You need five policy decisions made deliberately, written down, and reviewed once a year. None of them are technically difficult. Most SMEs we walk into have got at least two of them wrong.

1. Block outbound by default, allow by exception

Most firewalls ship configured to block incoming traffic by default. Almost none of them block outgoing traffic that way — and that's exactly the gap that ransomware and data-exfiltration tools are built to walk through. A compromised machine on your network needs to phone home to a command-and-control server somewhere on the internet. If your firewall lets any device talk to anywhere on any port outbound, you've handed that machine the door.

The right default is the inverse: deny all outbound, then allow specific destinations and ports for the things your business actually does — web browsing on 80/443, email to your provider, software updates from named vendors, the small handful of cloud services you use. Anything else gets blocked and logged. The first time it catches something legitimate, you add a rule. The first time it catches something suspicious, you've stopped the breach before it began.

2. Segment your guest Wi-Fi from everything else

Guest Wi-Fi is one of the easiest ways for a casual visitor to end up with a route into your file servers. The fix is trivial — put guest Wi-Fi on its own VLAN, with firewall rules that allow it to reach the internet but not your internal network — and yet we routinely walk into offices where the guest network is sitting on the same subnet as the accounting workstation.

The same logic applies to IoT and "smart" devices. The wireless printer, the conference-room TV, the connected coffee machine, the security camera DVR — every one of them is a small computer running firmware nobody on your team is updating. None of them should be on the same network as your laptops and servers. Segmentation isn't paranoia, it's hygiene.

3. Geo-block countries you don't do business with

If your business operates in India and serves customers in India, the United Kingdom and the United States, there is no legitimate reason for traffic from twenty other countries to be reaching your services. Modern firewalls support geo-IP blocking — you can drop traffic from named countries at the edge in a few clicks.

This won't stop a determined attacker who routes through a VPN, but it will eliminate the enormous baseline of opportunistic scanning, brute-force login attempts and exploit probes that comes from infrastructure in countries you have no commercial relationship with. The volume of background noise it removes is staggering, and the false-positive rate is almost zero if you've thought about your actual customer geography.

4. Disable remote management on the WAN side

Many firewalls ship with a remote-management interface enabled by default on the public-facing side, so the installer can configure it without being on-site. This is convenient for the installer and a gift to attackers. The login page becomes a target for credential-stuffing attacks the moment the device's IP is exposed to the internet — which it is, the moment it's plugged in.

If you need to manage the firewall remotely, do it through a VPN that requires multi-factor authentication, not by exposing the management interface directly. If you don't need to manage it remotely at all, turn the WAN-side management off entirely. Same logic applies to the management interfaces on switches, access points, NAS units and cameras — none of them should be reachable from the open internet.

5. Log everything, and actually look at the logs

Most SMEs treat firewall logs as something the device generates and forgets. The logs are useful for two things: spotting patterns that indicate a problem (repeated failed logins from the same IP, sudden spikes in outbound traffic to unusual destinations, devices trying to talk to ports they shouldn't), and providing forensic evidence after an incident.

You don't need a full SIEM platform to do this well. A simple weekly review of the firewall's blocked-traffic and login-attempt logs by someone who understands the business will catch most concerning patterns long before they turn into incidents. The first time you spot a workstation trying to talk to an IP address in a country you don't operate in, you've justified the entire exercise.

The two most SMEs get wrong

In our experience walking into SME networks for security reviews, the two rules above that are most consistently missing are outbound blocking by default (rule 1) and WAN-side management disabled (rule 4). Both have the same root cause: they take a small amount of effort to set up and a small amount of discipline to maintain, and the cost of getting them wrong only becomes visible after a breach. Until then, the firewall appears to be doing its job because nothing is obviously broken.

The good news is that all five of these are configuration changes, not procurement decisions. You don't need to buy new hardware to fix any of them. You need someone who understands what each rule does, why it matters, and how to translate the policy into the specific syntax of whichever firewall you've already got. An afternoon's work, properly scoped, will materially reduce your exposure to the most common classes of attack SMEs face.

If you've inherited a firewall configuration that hasn't been reviewed in a few years — or that was set up by the same vendor who sold you the hardware — a fresh pair of eyes against this checklist is usually the cheapest security improvement available to you.