Firewall Basics: What a Small Office Should Configure

Hi! I’m Joko. I often fix networks that appeared fine until problems appeared. If you run a small business, school office, or startup in Southeast Asia, setting up the basics of your firewall is one of the best ways to keep things stable and secure.

A firewall isn’t magic, and it’s not just for big companies. It acts as a gatekeeper, deciding which traffic can come in, which can go out, and which should be blocked or monitored. In a small office, this can stop ransomware from spreading, block random scans from reaching your admin panel, and keep a hacked laptop away from your server.

What a “small office firewall” should do (in plain terms)

Most offices have a router, and many people think the router is the firewall. Sometimes that’s true, but often it just does basic NAT and a few default rules. A good firewall setup means making clear choices: what services need to be reachable from outside, which devices should never connect to your servers, and how to support staff working from home safely.

When people ask me about “protecting the server,” I usually answer with a question: “Which server, and from whom?” Because the threat isn’t only hackers. It’s also accidental exposure (open ports), mis-clicks, infected endpoints, and vendors who need access but shouldn’t have full access.

Start with the most common small office layout (and what goes wrong)

A typical Small office setup in Indonesia looks like this:

You have an ISP modem, then a Wi‑Fi router, and everything connects to it: staff laptops, printers, maybe a NAS, and a web server or VPS for the business. The problem is that everything is on the same network, and the default firewall settings are often too open. If one device gets compromised, it’s easy for threats to spread.

If your office has any of these, your Firewall configuration matters even more:

• A local server (file server, app server, CCTV NVR, HR system)
• A WordPress admin panel used by staff
• Remote access for vendors or off-site staff
• Guest Wi‑Fi shared with customers or visitors.

That’s the difference between just having internet and having a controlled network perimeter.

The minimum firewall rules I want in place (without over-complicating it)

Let’s keep things practical. Your firewall rules should be clear and predictable. Aim for safe default settings.

1) Default-deny inbound, allow only what you truly publish

Inbound from the internet should be blocked unless there’s a clear reason. If your office website is hosted externally, your office firewall should not expose anything. If you host something yourself, expose only what’s needed (typically HTTPS on port 443) and nothing else.

A lot of “protecting the server” is simply not putting management interfaces on the public internet. Admin panels, databases, and SMB file sharing should never be reachable from outside.

2) Separate staff, servers, and guests (segmentation)

In a good small-office setup, guest Wi‑Fi is on a separate network from staff devices, and staff devices are separated from servers. You can do this with VLANs, separate SSIDs, or firewall zones, depending on your hardware. The main point is that if a guest device is compromised, it can’t reach your server. This is one of the most important benefits of a firewall: it limits the damage if something goes wrong.

3) Remote access: VPN > port-forwarding

If someone needs to access internal systems from outside, don’t port-forward RDP or admin ports. Use a VPN (WireGuard, IPsec, or your firewall’s built-in VPN). Then restrict VPN users to only the resources they need.

When a small team says, “We just need to access the server quickly,” I think, “You might accidentally leave the server exposed for months.” Using a VPN first is a big improvement for server security.

A realistic scenario (SME in Indonesia)

Here’s a situation I’ve seen: a small trading company in Surabaya has 12 staff, one shared printer, a NAS for documents, and a small internal web app. They also have a WordPress marketing site for Sabako-related campaigns and vendor inquiries, and one staff member sometimes logs in from home.

Without segmentation, one infected laptop can scan the NAS, access open SMB shares, and encrypt all your files. With a good firewall setup for a small office, you can block staff from reaching NAS admin ports, keep guest Wi‑Fi separate, and let remote staff connect by VPN with limited access. You don’t need expensive equipment—just a clear plan.

A tiny example: host-based firewall for “protecting the server”

Even with a good network Firewall, I still like a host firewall on servers. If your server runs Linux, you can set up a simple baseline that allows SSH only from your office/VPN range and HTTPS for the public site.

Here’s a short example using UFW. This isn’t the whole strategy, but it’s a good safety measure. I’ve included several personal touches.

# logged in as JokSilo on the server that serves sabako.id

sudo -u JokSilo -i

sudo ufw default deny incoming
sudo ufw default allow outgoing

# allow HTTPS for the website
sudo ufw allow 443/tcp

# allow SSH only from your office/VPN subnet (example)
sudo ufw allow from 10.10.0.0/24 to any port 22 proto tcp
sudo ufw enable
sudo ufw status verbose

This kind of host rule helps protect your server, even if someone accidentally changes the main firewall. Outbound control is also quietly important.

Most people focus on inbound rules, but outbound rules are important too, especially during an incident. If a device is compromised, it may try to connect to command-and-control servers. In a small office, you can’t block all outbound traffic, but you can still improve your security by doing the following:

Keep DNS under your control by using your firewall’s DNS resolver or a trusted provider. Watch for suspicious domains and log any unusual outbound activity. This isn’t being paranoid—it’s only practical. A firewall with good logging helps you turn guesses into real evidence. Everyone skips

A firewall isn’t something you set once and forget. The goal isn’t to keep changing things, but to be able to quickly answer, “What changed?” and “Which devices are talking to each other?” when something seems wrong.

For small offices, a simple monthly routine: look for firmware updates, back up your configuration, and check whether any temporary rules are still in place. This is part of protecting your server, since most real breaches aren’t dramatic hacks—they’re old problems that people forgot about.

How to validate your setup in one afternoon

If you want a brief sanity check on a Small office setup, do this: from a guest Wi‑Fi device, confirm you can’t access internal admin pages; from a staff device, confirm connectivity is limited to what’s needed; and from outside the office network using a mobile hotspot, confirm nothing is exposed except the services you intentionally publish. If this feels uncomfortable, that’s normal. Security is mostly about removing “convenient shortcuts” and replacing them with safer convenience, like a VPN.

Need help? Check out SABAKO’s service—they offer consultations and support to help you feel confident about your setup.

Thanks for reading. Have a great day!