The Simplest and Last Internet-Only ACL You’ll Ever Need 


Implement this ACL using whatever network gear, cloud ACL config, or uncomplicated firewall you use to protect your networks. Our IOT devices are on for this example. Also, don’t use non-RFC 1918 addressing on your internal networks. Depending on your configuration, the following pseudo-logic in the format of <allow or deny> <IP.Source> <IP.Destination> <protocol> should work universally.

deny any 

deny any 

deny any 

allow any 

The Verbose Version 

Imagine this — you are implementing a new netblock for your Roku TVs, IOT devices, and wireless guests. They all need internet access and under no circumstances do they need access to anything else. When they get a DHCP lease from your network, you should provide them with a public DNS server or two in the lease offer. Not all resolvers were created equally, but OpenDNS and a few others may offer you a bit more privacy than the others.  

Once your hosts have been provided a public IP address or two for name resolution, the following ACL will result in your TVs being blocked from accessing anything RFC-1918 in four short and sweet lines. This specific configuration will keep these hosts from accessing anything you address on standard internal network ranges.  

deny any 

deny any 

deny any 

allow any any 

This will allow the segment to talk to any public IP address. That’s it, that’s all. 

Thanks for reading,  


Want to learn more mad skills from the person who wrote this blog?

Check out this class from Kent and Jordan:

Defending the Enterprise

Available live/virtual and on-demand!