Re: strategic firewall rules on WAN-side interfaces
Yeah, the "strategic rule" is very simple: drop all. Don't turn on the external web interface, don't allow anything through that provides a port to the outside.
Seriously, when is the last time that Bob and Doug McKenzie (or Bevis and Butthead) wrote any firewall rules? Plug it in, and the lights blink. Go surf. That's it. I had a landlord who subscribed to a cable ISP, and I had to walk him through the process of plugging things in. Like not plugging the telephone into the RJ45 jack. Yeah, just because they are both square doesn't mean they do the same thing. I even had to change his browser home page so he would "be connected to the Internet." (My favorite cringe quote: "Does it have to be on to work?")
We shouldn't expect that people will update their firmware. Honestly, the vast majority don't know what "firmware" is. "Turn it off and back on" is all that we can hope for.