diff --git a/firewall/master.go b/firewall/master.go
index 33e96305..fdcddd9f 100644
--- a/firewall/master.go
+++ b/firewall/master.go
@@ -54,7 +54,6 @@ var defaultDeciders = []deciderFn{
 	checkBypassPrevention,
 	checkFilterLists,
 	checkCustomFilterList,
-	dropInbound,
 	checkDomainHeuristics,
 	checkAutoPermitRelated,
 }
@@ -539,15 +538,6 @@ func checkDomainHeuristics(ctx context.Context, conn *network.Connection, p *pro
 	return false
 }
 
-func dropInbound(_ context.Context, conn *network.Connection, _ *profile.LayeredProfile, _ packet.Packet) bool {
-	// implicit default=block for inbound
-	if conn.Inbound {
-		conn.Drop("incoming connection blocked by default", profile.CfgOptionServiceEndpointsKey)
-		return true
-	}
-	return false
-}
-
 func checkAutoPermitRelated(_ context.Context, conn *network.Connection, p *profile.LayeredProfile, _ packet.Packet) bool {
 	// Auto permit is disabled for default action permit.
 	if p.DefaultAction() == profile.DefaultActionPermit {
diff --git a/profile/config.go b/profile/config.go
index a9d705e6..7f04b940 100644
--- a/profile/config.go
+++ b/profile/config.go
@@ -292,11 +292,11 @@ Important: DNS Requests are only matched against domain and filter list rules, a
 	cfgStringArrayOptions[CfgOptionEndpointsKey] = cfgOptionEndpoints
 
 	// Service Endpoint Filter List
-	defaultIncomingRulesValue := []string{"+ Localhost"}
+	defaultIncomingRulesValue := []string{"+ LAN"}
 	err = config.Register(&config.Option{
 		Name:           "Incoming Rules",
 		Key:            CfgOptionServiceEndpointsKey,
-		Description:    "Rules that apply to incoming network connections. Cannot overrule Network Scopes and Connection Types (see above). Also note that the default action for incoming connections is to always block.",
+		Description:    "Rules that apply to incoming network connections. Cannot overrule Network Scopes and Connection Types (see above).",
 		Help:           rulesHelp,
 		Sensitive:      true,
 		OptType:        config.OptTypeStringArray,
@@ -494,7 +494,7 @@ Important: DNS Requests are only matched against domain and filter list rules, a
 		Key:            CfgOptionBlockInboundKey,
 		Description:    "Connections initiated towards your device from the LAN or Internet. This will usually only be the case if you are running a network service or are using peer to peer software. Is stronger than Rules (see below).",
 		OptType:        config.OptTypeInt,
-		DefaultValue:   status.SecurityLevelOff,
+		DefaultValue:   status.SecurityLevelsAll,
 		PossibleValues: status.AllSecurityLevelValues,
 		Annotations: config.Annotations{
 			config.DisplayHintAnnotation:  status.DisplayHintSecurityLevel,