How to Set Up a Firewall: A Practical Guide for Small Business

by

A firewall is the gatekeeper of your network — it controls what traffic is allowed in and out, blocking malicious connections before they reach your systems. Despite being one of the most fundamental security controls, many small businesses run with poorly configured or default firewalls. This guide changes that.

Types of Firewalls

Packet Filtering Firewall

The oldest and simplest type. Examines each packet of data and compares it against a set of rules (IP address, port, protocol). If it matches a “block” rule, the packet is dropped. If it matches “allow,” it passes. Fast and efficient but lacks context — it can’t tell if a packet is part of a legitimate ongoing connection or not.

Stateful Inspection Firewall

Tracks the state of active network connections. It knows whether a packet is part of an established connection, a new connection, or invalid. Much more intelligent than packet filtering — it can block packets that appear legitimate but aren’t part of any active session. This is the standard for modern network firewalls.

Next-Generation Firewall (NGFW)

Adds deep packet inspection, application awareness, intrusion prevention (IPS), SSL/TLS inspection, and user identity awareness. An NGFW can distinguish between different applications using the same port (e.g., Facebook vs. Zoom on port 443) and apply different rules to each. Vendors: Palo Alto Networks, Fortinet, Cisco Firepower, pfSense + Suricata (open source).

Web Application Firewall (WAF)

Specifically designed to protect web applications. Operates at Layer 7 (application layer) and understands HTTP/HTTPS. Protects against SQL injection, XSS, CSRF, and other web attacks. Examples: Cloudflare WAF (free tier), ModSecurity (open source), AWS WAF.

Software/Host Firewall

Runs on individual devices. Windows Firewall, iptables/nftables on Linux, pfSense on dedicated hardware. Controls what that specific device can send and receive — your last line of defense if traffic bypasses the network perimeter.

Key Firewall Rules Every Business Needs

Default Deny (Least Privilege)

The most important principle: deny all by default, allow only what’s explicitly needed. Start with a rule that blocks everything, then add specific allow rules. This is the opposite of many default configurations (“allow all, block known bad”) which leave you exposed to everything you haven’t thought of yet.

Inbound Rules (What Can Reach Your Network)

  • Allow 80/TCP (HTTP) and 443/TCP (HTTPS) — only to your web servers, not to all internal systems
  • Block all direct inbound access to databases — databases should never be directly internet-accessible
  • Limit RDP (3389/TCP) access — only from specific IP addresses, ideally via VPN only. Never expose RDP directly to the internet.
  • Limit SSH (22/TCP) — to specific management IP ranges or require VPN
  • Block all other inbound traffic by default

Outbound Rules (What Can Leave Your Network)

Most businesses ignore outbound filtering, but it’s critical for detecting compromised systems. A machine infected with malware will try to “call home” to a C2 server.

  • Allow 80/TCP and 443/TCP outbound — for web browsing
  • Allow DNS (53/UDP) only to your specific DNS servers — block all other outbound DNS to prevent DNS tunneling
  • Block outbound traffic on unusual ports that users shouldn’t need
  • Log all blocked outbound traffic — alerts on blocked outbound connections can reveal infected machines

Lateral Movement Rules (Internal Segmentation)

Your firewall shouldn’t just protect the internet boundary — it should also segment internal networks:

  • Separate your guest Wi-Fi from your corporate network — guests should have internet access but no access to internal servers
  • Separate your server network from your workstation network
  • Isolate IoT devices (smart TVs, printers, cameras) on their own VLAN
  • Restrict which systems can communicate with domain controllers

Free and Low-Cost Firewall Options for Small Business

pfSense (Free, Open Source)

pfSense is a full-featured open-source firewall/router based on FreeBSD. It includes stateful packet filtering, VPN (IPsec, OpenVPN, WireGuard), traffic shaping, IDS/IPS via Suricata/Snort, and much more. You can install it on commodity x86 hardware or buy a dedicated Netgate appliance. For small businesses with a technical person available, pfSense offers enterprise-class features at zero license cost.

OPNsense (Free, Open Source)

A pfSense fork with a more modern UI and frequent security updates. Includes full IDS/IPS, web filtering, two-factor authentication, and a plugin ecosystem. OPNsense has become many professionals’ preference over pfSense due to more transparent development and faster patching.

Cloudflare (Free Web Application Firewall)

Cloudflare’s free plan provides DDoS protection, a basic WAF, and CDN for any internet-facing web property. The free tier includes protection against common web exploits. For a small business website, Cloudflare free tier is a no-brainer — it takes 10 minutes to set up and provides significant protection.

Windows Firewall (Free, Built-in)

Windows Defender Firewall with Advanced Security is a capable host-based firewall included free with Windows. When properly configured, it can block unexpected inbound and outbound connections on each individual device. Use Group Policy to enforce consistent firewall rules across all domain-joined machines.

UFW (Uncomplicated Firewall) for Linux Servers

UFW is a simplified interface for iptables on Ubuntu/Debian Linux. Simple commands to configure:

# Basic UFW setup for a web server
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 22/tcp   # SSH - restrict to specific IP if possible
sudo ufw allow 80/tcp   # HTTP
sudo ufw allow 443/tcp  # HTTPS
sudo ufw enable
sudo ufw status verbose

Firewall Best Practices

  • Document every rule: Every firewall rule should have a comment explaining what it’s for, who requested it, and when it was added. Undocumented rules accumulate over years and create blind spots.
  • Review rules regularly: Schedule quarterly firewall rule audits. Remove rules for servers that no longer exist and applications that are no longer used.
  • Enable logging: Log blocked traffic and review logs regularly. Unusual patterns — especially repeated blocked outbound connections — can reveal compromised systems.
  • Test your rules: Use tools like nmap from an external perspective to verify that only intended ports are accessible. What you think is blocked may not be.
  • Keep firmware updated: Firewall devices themselves have vulnerabilities. Apply vendor patches promptly.
  • Don’t rely on firewall alone: A firewall is one layer of defense. Assume breach — if something gets through, your other controls (EDR, SIEM, network monitoring) should catch it.

Summary

A properly configured firewall dramatically reduces your attack surface. Start with a default-deny policy, allow only what’s needed, segment your network into zones, and monitor your logs. Free options like pfSense, OPNsense, and Cloudflare make enterprise-level firewall capability accessible to any size organization. Spend an afternoon configuring it right — it’s one of the highest-ROI security investments you can make.