The first rule in every firewall is of course
"deny all" and subsequent rulesets permit only
the traffic that is necessary.
Nope, I said exactly what I intended (and what I do, in practice).
Doing so forces one to understand in detail what traffic actually
needs to pass in/out and to craft specific rules for it. This in
turn helps avoid making mistake #1:
The Six Dumbest Ideas in Computer Security
http://www.ranum.com/security/computer_security/editorials/dumb/
---rsk
It depends on the software used and implementation.
Many rulesets for pf on BSD start with 'block in on interfaceX' for instance, because it uses a "last match wins" system, unless you use the 'quick' keyword to make rule processing stop if that rule matches.
Andrew