GS108Tv3 Recommended ACL for direct internet

Good question, and StephenB raises an important point worth addressing first.

The GS108Tv3 is a managed smart switch, not a stateful firewall. Its ACL engine works at Layer 2/3 but has no stateful connection tracking, so it cannot distinguish between a new inbound connection and return traffic the way a proper firewall can. That limitation shapes everything below.

That said, here is a practical set of IPv4 ACL rules to apply on the uplink port facing the internet:

INBOUND (from internet side) - deny these first:

- Deny source 10.0.0.0/8 (RFC 1918 anti-spoof)

- Deny source 172.16.0.0/12 (RFC 1918 anti-spoof)

- Deny source 192.168.0.0/16 (RFC 1918 anti-spoof)

- Deny source 127.0.0.0/8 (loopback anti-spoof)

- Deny source 0.0.0.0/8 (unspecified)

- Permit any protocol you genuinely need inbound (e.g., TCP port 443 for a web server)

- Deny all (implicit or explicit catch-all)

OUTBOUND (to internet side):

- Permit established TCP (ACK set) for return traffic

- Permit UDP source port 53 for DNS responses

- Permit ICMP echo-reply

- Deny everything else outbound as needed

One thing to keep in mind: without stateful tracking, allowing return traffic cleanly is tricky. A stateless ACL that permits TCP with ACK set is a rough approximation, not a reliable substitute for a firewall.

If at all possible, put even a basic router/firewall (pfSense, OPNsense, or similar) between the switch and the internet. The switch ACLs then become a second layer of defence rather than your only line.

What exactly are you trying to protect or expose on this switch? Knowing that would help narrow down which specific ports to open.

Gfl wrote:

I’m looking for a list of recommended IPv4 ACL rules for a switch directly connected to the internet with a static IP.  

Are you saying there is no router between the switch and the internet connection?