Recently I wanted to see what it was like managing a firewall with a default deny, not allowing any traffic out that doesn’t have a specific rule to allow it through. So I installed an OPNsense firewall in a virtual machine with the following settings:

Some of the more important things to configure included making the firewall only listen on the LAN side for connections to the web GUI.

And here are the rules I came up with and was surprised how little it took to update a Linux VM routed through the firewall because Linux just uses HTTPS to update. Click on the image below to be able to read it.