Cyber Essentials
DashboardSign Out

Lesson 4.3 — Inbound connections, port forwarding and firewall rule justification

This lesson helps the learner identify and document inbound firewall rules, port forwarding and internet-exposed services.

What You'll Be Able to Do

By the end of this lesson, you will be able to:

  • identify inbound connections into in-scope networks and cloud-hosted infrastructure
  • document the business need for each rule
  • confirm that rules are approved by an authorised person
  • flag unnecessary or risky rules for removal or review.

Why This Matters

It explains why unauthenticated inbound connections should be blocked by default, when inbound rules may be justified, who should approve them, and how to remove rules that are no longer needed.

The most common problems are:

  • assuming inbound traffic is blocked by default without checking;
  • failing to document port forwards;
  • leaving old port forwards active;
  • exposing RDP, SSH, databases or admin interfaces directly to the internet without strong justification;

The Core Rule

Cyber Essentials expects unauthenticated inbound connections to be blocked by default.

Any inbound firewall rule that allows traffic from outside into an in-scope network, device, server or service should be documented, approved by an authorised person and supported by a business need.

What the CE Assessor Looks For

A strong position shows:

  • inbound traffic is blocked by default;
  • every allowed inbound rule is known;
  • each rule has a business need;
  • each rule has an authorised approver;
  • temporary rules have expiry dates;
  • high-risk services are not directly exposed without strong justification and controls;

Common Mistakes

  • assuming inbound traffic is blocked by default without checking;
  • failing to document port forwards;
  • leaving old port forwards active;
  • exposing RDP, SSH, databases or admin interfaces directly to the internet without strong justification;
  • documenting only office firewall rules and forgetting cloud security groups;
  • forgetting hosted servers and VPS firewall rules;

Copy This

Keep this rule visible:

Block by default. Allow only what is necessary. Document why. Review regularly. Remove what is no longer needed.

Quick Checklist

Before moving on, make sure you can say yes to these:

  • [ ] What should the default inbound firewall position be?
  • [ ] What is port forwarding?
  • [ ] Are inbound firewall rules always prohibited?
  • [ ] What should be documented for each allowed inbound rule?
  • [ ] Why are temporary rules risky?

Your Action

Do this now — it takes 10–20 minutes.

List every inbound rule on your firewalls. For each rule, write the business reason it exists and who approved it. Add to Section F.

Key Takeaway

Block by default. Allow only what is necessary. Document why. Review regularly. Remove what is no longer needed.

Your Workbook Activity

Complete: Inbound firewall rule and port forwarding register

Next Lesson

In the next lesson: Firewall rule reviews: keeping rules current and removing what is no longer needed

Up next

Firewall rule reviews

Run regular firewall rule reviews to remove obsolete access and keep security boundaries effective.