A properly configured firewall is the difference between a protected network and an open door. This guide walks you through the exact configuration steps for a small business firewall — whether you’re using a hardware appliance, your router’s built-in firewall, or a cloud-managed solution.
Understanding Firewall Basics
A firewall controls traffic entering and leaving your network. Rules define what’s allowed and what’s blocked. The correct default posture is: block everything, then explicitly allow only what’s necessary. Most small businesses leave default configurations in place — a critical mistake, because attackers know every default configuration for every major router brand.
Step 1: Set the Default Inbound Policy to DENY
This is the single most important step. Navigate to your firewall’s policy settings and set the default inbound (WAN to LAN) policy to DENY ALL. Set the default outbound (LAN to WAN) policy to ALLOW.
Step 2: Create Explicit Allow Rules for Legitimate Traffic
Allow HTTP (port 80) and HTTPS (port 443) if you host a public web server. Allow VPN endpoint traffic. Explicitly block: port 3389 (RDP) from internet entirely, port 22 (SSH) restricted to known IPs only, port 23 (Telnet) blocked entirely, and ports 137-139 and 445 (SMB) blocked from internet — these are ransomware’s favorite entry points.
Step 3: Segment Your Network with VLANs
A flat network means a breach on one device can spread to everything. Use VLANs to segment: VLAN 1 (Corporate) for workstations and managed devices, VLAN 2 (IoT) for printers, cameras, and smart devices, VLAN 3 (Guest) for visitor WiFi with no access to corporate resources. Add inter-VLAN firewall rules ensuring IoT and Guest VLANs cannot reach the Corporate VLAN.
Step 4: Enable Logging and Alerts
Configure your firewall to log all blocked inbound connection attempts, alert on repeated connection attempts from the same IP (potential brute force), and send logs to a central location. Review logs weekly minimum.
Step 5: Test Your Configuration
Use ShieldsUP (grc.com/shieldsup) to scan your network’s external IP from the internet perspective. It will show which ports are visible and whether your configuration is working as expected.
Maintenance Schedule
Monthly: review access logs for anomalies. Quarterly: review and prune all firewall rules. Semi-annually: check for firmware updates. Annually: full firewall configuration audit.
Need a professional to review your current firewall configuration? Our Network Vulnerability Snapshot includes a firewall configuration review as part of the 15-point assessment — delivered in 48 hours for $17.