Each firewall chain has a default policy and a collection of actions to take in response to specific message types. Each packet is checked against each rule in the list in turn until a match is found. If the packet doesn’t match any rule, then it falls through and the default policy is applied to the packet.

There are two basic approaches to a firewall:
Deny everything by default and explicitly allow selected packets through.
Accept everything by default and explicitly deny selected packets through.

The deny everything policy is the recommended approach. This approach makes it easier to set up a secure firewall, but each service and related protocol transaction you want must be enabled explicitly. This means you have to understand the communication protocol for each service you enable. The deny everything approach requires more work up front to enable Internet access. Some commercial firewall products support only the deny everything policy.