What are the five universal firewall rule basics every deployment should follow?
The five baseline rules: deny direct Internet→Intranet, put public servers in DMZ, restrict ports/services on DMZ servers, default-deny outbound (modern best practice), and block dangerous protocols entirely.
The five rules:
| # | Rule | Why |
|---|---|---|
| 1 | Direct Internet → Intranet access fundamentally forbidden | Public-facing servers belong in DMZ, never the Intranet |
| 2 | Public servers belong in DMZ, not Intranet | Limits blast radius of compromise |
| 3 | Restrict Internet access into DMZ to specific servers and ports | Minimum exposure surface |
| 4 | OLD: Outbound Internet open. NEW: Outbound restricted (limit "phone-home tools"!), only specific services or via proxy | Stops malware C2, data exfiltration |
| 5 | Block dangerous protocols entirely (NetBIOS, NFS, TeamViewer, ...) | Prevents abuse even from legitimate users |
Rule 1 — the foundational rule:
Direct Internet → Intranet is the original attack vector. Modern attackers don't need this — they use phishing + outbound C2 — but the rule is still essential because:
- Some malware tries to scan from Internet → Intranet for vulnerable services
- IoT devices accidentally exposed get instantly compromised
- Lazy admins who poke "temporary" holes never close them
Rule 4 — the modern shift:
"ALT: Zugriff vom internen Netz auf das Internet grundsätzlich offen. NEU: Zugriff vom internen Netz auf das Internet grundsätzlich untersagt"
This is the biggest change in firewall philosophy in the past decade. Old assumption: "outbound is fine, anyone inside is trusted." New reality: assume malware is inside; restrict outbound to known-good destinations only.
Concrete implementation:
- Allow outbound HTTP/HTTPS only via proxy (which logs and inspects)
- Block direct outbound DNS (force everything through internal DNS)
- Block outbound SMTP except from your mail server
- Block protocols like IRC, custom ports, P2P entirely
Rule 5 — the protocol blocklist:
| Protocol | Why dangerous |
|---|---|
| NetBIOS / SMB (port 445) | History of vulnerabilities (EternalBlue/WannaCry); used for lateral movement |
| NFS | Often misconfigured; exposes file systems |
| TeamViewer / RDP from Internet | Targets for credential-stuffing attacks |
| Telnet (port 23) | Cleartext credentials |
| FTP (port 21) | Cleartext credentials |
| SNMPv1/v2 (port 161) | Cleartext community strings |
These should be blocked at the perimeter regardless of what business need someone claims.
Tip: Rule 4 (outbound restriction) is often skipped in SMBs because it breaks "convenience" — every new SaaS tool the team wants requires opening a hole. The compromise: implement an outbound proxy with sensible defaults (allow major SaaS categories) rather than allow-all. Microsoft 365, Google Workspace, GitHub, Slack — all have published IP ranges you can pre-allow.
Go deeper:
NIST SP 800-41 Rev. 1 — Guidelines on Firewalls — its policy recommendations parallel all five rules.