My initial assumption is yes because it is a strong security implementation.

However, I am concerned if I enable this option, I might be blocking legitimate external Internet traffic to resources on our internal network (if that’s a correct understanding of WAN > LAN).

We only have one server that is used for file storage, a database, AD, a client server app that runs our business, and online backups. However, I can’t think of any reasons why someone from the internet would need to hit anything on the inside. Online backups should be outbound traffic (except maybe software updates need the WAN > LAN)?

Any guidance would be helpful. Thanks!

Share This Discussion


  • LessConcentrate1612

    November 8, 2021

    Put it at the bottom your rule set. It’s called an explicit deny statement.

  • phoboss1983

    November 8, 2021

    Unless you are trying to publish internal resources on the internet, this should be all closed.

    If one of your devices needs an update or a user is browsing the Internet, that traffic is initiated internally and the router’s firewall will permit the traffic.

  • 3574660239829

    November 8, 2021

    Deny WAN > LAN is the default on all firewalls, or should be. You’re failing to understand the concept of who is initiating the connection. If a connection is initiated internally, data from outside will still transit the firewall. However, if a connection is initiated externally, it will be blocked.

  • ShameNap

    November 8, 2021

    You should get professional help. If you’re questioning whether you should protect your AD server from the internet, and your device says that is the highest level security (which is literally just a baseline security) is the best that it can do, you have a lot of potential issues.

    Seriously, have someone who knows security set your stuff up for you. And if I were you I would focus on backups and disaster recovery.

  • Chrysis_Manspider

    November 8, 2021

    Default deny inbound is standard even in a home setup, it should be turned on out of the box. It will definitely be turned on in Windows Defender on your Windows hosts.

    Basically for a good setup block ALL traffic, both in and out – then apply specific allow rules for the ports from/to the appliance that needs them. You don’t need to worry about allowing return traffic – read up on ‘stateful inspection’ firewalls as yours will be one of these at a minimum.

    Inbound will be quick and easy, outbound is more difficult as you will need to identify what services you need and allow them or risk DOSing yourself – but this will improve your security posture drastically. (Outbound blocking usually isn’t enabled by default)

    Want to take the next step once this is done? Log all blocked outbound requests and investigate them, or at least the high risk ones (ssh, telnet, rdp etc.) As this is a great way to find hosts with malware/compromise. You will absolutely have an easier time doing this if you roll out sysmon on all endpoints and start logging network connections as this will be the easiest way to identify the process that initiated the connection.

    You can do as little or as much as your risk tolerance will allow and can really go down the rabbit hole with this stuff, but good security is never a set and forget type of deal. Your perimeter defence will inevitably fail, it’s a fact of life. Know your network and monitor it.


Leave a Comment

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.