https://www.howtonetwork.com/ccna-security/access-control-lists-cisco-acl/

This link for this kind of ACL.

Note:- add deny any any log at end of your acl' this help you to know what traffic is deny by acl and the  you can allow or dent traffic 

Note:- try put line increment of acl 10 by 10' in case you want to retrun and add line between previous one you can do that

MHM

So I really just need the security license it sounds like. If I permit inside subnet to outside interface on my given subnets, but deny all else on the ACL, it will end up denying the packets returning and I will have no internet access basically right? And if I deny all tcp and udp specifically, it will be the same result right? Keywords seems like I would constantly have to be adding new ones to prevent limited access. Keep in mind I’m a beginner here lol, and thank you guys for being so helpful! Those articles above are a big help to me learning here on my own. 

it will end up denying the packets returning and I will have no internet access basically right? Sorry Yes 

That way we need established keywords to make retrun traffic allow only and if the traffic initiate from your Inside clinet.

For udp as I mention you need to add deny any any log and see if your acl deny any important udp traffic.

Goodluck 

MHM

Apparently I have the license. In the gui, there is an option to change license level. I chose security k9, the router rebooted, and now I have threat defense and vpn. Is this a trial? The license status just show “in use.”

I Not sure 100% but since you activate it use it' when it expire (if it trial) then get new license.

MHM

Some License you can enable for trail and useit for testing, once they expiry the features stop working.

Its all depends on the requirement - base should able to do the work for you for connecting to internet.

Most ISP providers do have certain kind of attack prevention, as Long as you do not open any incoming flows or incoming port-forwarding, some kind of degree you are secured.

You can also enable Logging adding ACL on the Outside interface, that will show you what kind of traffic or attack establishing from outside to inside. (then based on that you can apply ACL) and remove log Option.

As Long as you are not listening any Service outside interface, and if you source it LAN interface that is ok.

all the packets established connection can not be dropped. from inside to outside. 

You should have sensible ACL - on the outside interface to protect your device if this is exposing to Internet.

some guidance URL :

https://www.cisco.com/c/en/us/support/docs/ip/access-lists/44541-tacl.html

https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html

https://www.cisco.com/c/en/us/support/docs/ip/access-lists/43920-iacl.html