There are two basic ways to create firewall rulesets: “inclusive” or
“exclusive”. An exclusive firewall allows all traffic through except for the
traffic matching the ruleset. An inclusive firewall does the reverse. It only allows
traffic matching the rules through and blocks everything else.
Inclusive firewalls are generally safer than exclusive firewalls because they
significantly reduce the risk of allowing unwanted traffic to pass through the
firewall.
Security can be tightened further using a “stateful firewall”. With a
stateful firewall the firewall keeps track of which connections are opened through the
firewall and will only allow traffic through which either matches an existing connection
or opens a new one. The disadvantage of a stateful firewall is that it can be vulnerable
to Denial of Service (DoS) attacks if a lot of new
connections are opened very fast. With most firewalls it is possible to use a combination
of stateful and non-stateful behavior to make an optimal firewall for the site.