Network Segmentation Approaches

The first rule in every firewall is of course
"deny all" and subsequent rulesets permit only
the traffic that is necessary.

Nope, I said exactly what I intended (and what I do, in practice).
Doing so forces one to understand in detail what traffic actually
needs to pass in/out and to craft specific rules for it. This in
turn helps avoid making mistake #1:

  The Six Dumbest Ideas in Computer Security


It depends on the software used and implementation.
Many rulesets for pf on BSD start with 'block in on interfaceX' for instance, because it uses a "last match wins" system, unless you use the 'quick' keyword to make rule processing stop if that rule matches.