5 firewall rules I set up that instantly made my home network safer

Securing your home network is more critical than ever, as the Internet is a scary place full of terror, and automated tools have made the job of cybercriminals even easier. Setting up a powerful firewall like OPNsense will do most of the work for you, at least once you've set it up.

If you've set up a hardware firewall in your home lab, you're most of the way there. Except, in your home lab, the focus is on containment, keeping things in, so that they don't escape and ruin your home network. For the home network, the focus is on defense and stopping those things getting onto your network in the first place.

With powerful firewall options, including prebuilt devices like those from Firewalla or repurposed old PC hardware, your home network can be secured easily, and you'll learn useful skills. But before I dive into advanced configurations, I set up a handful of firewall rules that set the foundation for everything else.

5 Default Deny for all incoming traffic

If I'm not asking for it, it's not coming in

The first firewall rule I always set up is deceptively simple, but it sets up the structure for every other rule. That's a default of denying all incoming traffic. You might think that odd, but on a home network, there's no reason that unsolicited inbound connections should be allowed—none, at all.

Incoming connections because an application on a device on the home network has requested data from an external server is fine, mostly, as long as you trust the application or device. Treat internet data packets as information vampires—they don't come in unless explicitly asked.

That means you'll end up with a hierarchy of firewall rules that looks similar to:

• Anti-spoofing rules: The top level of rules filters all traffic but only lets through packets from legitimate sources.
• User access rules: Now, you set up rules for what users can do, such as HTTP for web access, 443 for VPNs, and similar.
• Management access rules: Rules for allowing admin tools and addresses to come next so only trusted sources can interact with the firewall's configuration and monitoring.
• Service-specific denial rules: Blocking unnecessary or vulnerable services, and Geo-blocks, reducing noise and attack vectors.
• Catch-all deny rule: Drops all traffic that doesn't match previous firewall rules that explicitly allow it through the firewall.

For example, with the Uncomplicated Firewall on Linux systems, you could start with:

# Example UFW configuration
ufw default reject incoming
ufw default allow outgoing
ufw default deny routed

This stops lazy or automated attacks trying to exploit open ports or services on your network. The smaller attack surface you create, the better. And don't forget to block both IPv4 and IPv6.

4 DNS-based filtering

GeoIP blocking reduces the number of computers that could attack

It's a fact of life that some countries are responsible for the majority of all hacks, ransomware attacks, phishing attempts, and other nefarious internet nasties. Enough so that several firewall options specifically exclude IP ranges from those countries from incoming connections to your network. Whether you run OPNsense, pfSense, or another firewall solution, setting up GeoIP blocking makes a lot of sense, and you'll want to block traffic coming in or out of your home network. That's because you never know if something malicious is already on your network, and you don't want ransomware or malware phoning home.

For OPNsense or many other firewalls, you use the MaxMind GeoIP database to accomplish this. You'll need to register, and create a license key (that's free), and then add the following to the GeoIP settings field (found at Firewall > Aliases > GeoIP Settings on the OPNsense dashboard):

https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-Country-CSV&license_key=My_License_key&suffix=zip

This downloads the list and allows you to deny any IP traffic from those regions.

3 Network segmentation

Stick your IoT devices on their own VLAN

Keeping your IoT (Internet of Things) devices on their own network segment is always a good idea. These low-power devices often lack the power or space to run security features your computer wouldn't go without, and you don't want them causing issues. Even if they're not a security worry (which they are), they often fill your network with broadcast, unicast, and multicast packets, which go to every device on your network, slowing everything down for everyone.

# Example rule structure:
LAN: Allow outgoing connections, block incoming connections from IoT VLAN
IoT: Allow outgoing to internet, block outgoing to LAN except for authorized services

Along with putting those IoT devices on their own VLAN, you might still want them to be able to connect to the internet for updates or cloud-based controls. If you're using Home Assistant to control your smart home, you might want to put that on the VLAN as well, and have another set of firewall rules for Home Assistant traffic that can go between the IoT VLAN and your home network.

2 Install Fail2Ban

Brute force attacks are a pain but they're easily warded off

All the clever firewall rules in the world won't stop an attacker from simply logging in via the management portal. You can make it much more difficult for that to happen, first by making sure that the management pages can't be reached outside your home network, but then you can add Fail2Ban to make sure.

This plugin for your firewall monitors the logs for critical services, and looks for unusual patterns that are outside the scope you set. Then, it bans any IP addresses that are behaving oddly. If you've ever been locked out of an online account for fat-fingering your password one too many times, you know how this plugin works. A good place to start is bans is 5 failed login attempts within 10 minutes occur, and then a duration of the ban for first offenders or if they come back.

1 Block unnecessary outgoing ports

Working from a position of least privilege is the way

When building a secure firewall, starting with a position of least trust is always best. Don't trust anything on your network, whether a device or a program, until you know it's relatively safe and needs to loosen the restrictions a little. Blocking outgoing ports by default is a good idea, reducing the number of ports a malicious device can use to phone home. But you'll need to balance this with the needs of your home network to talk to the internet, including opening the standard ports that plenty of computing devices rely on.

Some common ports include:

• HTTP/HTTPS (ports 80 and 443): for web browsing
• FTP (port 21): File Transfer Protocol for transferring files
• SMTP (port 25): Simple Mail Transfer Protocol for outgoing email
• SSH (port 22): Secure Shell for secure remote administration of devices
• DNS (port 53): Domain Name System used for domain name resolution
• DHCP (port 67): Dynamic Host Configuration Protocol for issuing IP addresses
• NTP (port 123): Network Time Protocol
• VoIP (port 56): Voice over Internet Protocol used for phone conversations

You'll need some of these to be unblocked, but a few are commonly used by compromised systems, like Port 25, which gets used to send spam, Port 53 to hijack your DNS records, and Port 445, which is the SMB (Server Message Block) port. Blocking these three will keep you, and other internet users, safer.

These settings are the foundation of any firewall I set up, but they're not an exhaustive list

Firewall rules are constantly changing and adjusting, to meet or beat the level of the attackers that are out there. These settings will make you safer, but they are by no means the only settings you should have on your firewall to protect your home network, and there are tons of additional security plugins to any comprehensive firewall to make your network more secure.