My explanation of the default rules below, add additional restrictions as needed but for starters this is a decent baseline for security to build off of.
0: Accept SSH for Linux host from your local network
1: Allow RDP from a VPN to Window boxes
2: Allow RDP from your local network
3: Allow VM’s to use DNS
4: Allow VM’s to browse via HTTPS
5: Disallow VM’s from accessing the gateways configuration (set this to your routers address) NOTE: If your router uses HTTPS, add a rule for that as well.
6: Allow VM’s to browse HTTP externally or on the local network.
7-12: Drop all incoming TCP and UDP packets that do not match the rules above and do not allow VM’s to connect to any Services anywhere (SMB, SMTP, etc etc)
13: Allow all other protocols that are not blocked in 7-12 to the gateway (If any are listening above port 1024)
14: Drop all other packages being sent out from the VM to the local network (including the gateway).
