LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What are the five universal firewall rule basics every deployment should follow?

The five baseline rules: deny direct Internet→Intranet, put public servers in DMZ, restrict ports/services on DMZ servers, default-deny outbound (modern best practice), and block dangerous protocols entirely.

The five rules:

# Rule Why
1 Direct Internet → Intranet access fundamentally forbidden Public-facing servers belong in DMZ, never the Intranet
2 Public servers belong in DMZ, not Intranet Limits blast radius of compromise
3 Restrict Internet access into DMZ to specific servers and ports Minimum exposure surface
4 OLD: Outbound Internet open. NEW: Outbound restricted (limit "phone-home tools"!), only specific services or via proxy Stops malware C2, data exfiltration
5 Block dangerous protocols entirely (NetBIOS, NFS, TeamViewer, ...) Prevents abuse even from legitimate users

Rule 1 — the foundational rule:

Direct Internet → Intranet is the original attack vector. Modern attackers don't need this — they use phishing + outbound C2 — but the rule is still essential because:

  • Some malware tries to scan from Internet → Intranet for vulnerable services
  • IoT devices accidentally exposed get instantly compromised
  • Lazy admins who poke "temporary" holes never close them

Rule 4 — the modern shift:

"ALT: Zugriff vom internen Netz auf das Internet grundsätzlich offen. NEU: Zugriff vom internen Netz auf das Internet grundsätzlich untersagt"

This is the biggest change in firewall philosophy in the past decade. Old assumption: "outbound is fine, anyone inside is trusted." New reality: assume malware is inside; restrict outbound to known-good destinations only.

Concrete implementation:

  • Allow outbound HTTP/HTTPS only via proxy (which logs and inspects)
  • Block direct outbound DNS (force everything through internal DNS)
  • Block outbound SMTP except from your mail server
  • Block protocols like IRC, custom ports, P2P entirely

Rule 5 — the protocol blocklist:

Protocol Why dangerous
NetBIOS / SMB (port 445) History of vulnerabilities (EternalBlue/WannaCry); used for lateral movement
NFS Often misconfigured; exposes file systems
TeamViewer / RDP from Internet Targets for credential-stuffing attacks
Telnet (port 23) Cleartext credentials
FTP (port 21) Cleartext credentials
SNMPv1/v2 (port 161) Cleartext community strings

These should be blocked at the perimeter regardless of what business need someone claims.

Tip: Rule 4 (outbound restriction) is often skipped in SMBs because it breaks "convenience" — every new SaaS tool the team wants requires opening a hole. The compromise: implement an outbound proxy with sensible defaults (allow major SaaS categories) rather than allow-all. Microsoft 365, Google Workspace, GitHub, Slack — all have published IP ranges you can pre-allow.

Go deeper:

From Quiz: INTROL / Firewall Fundamentals | Updated: Jul 14, 2026