Application protocols can use TCP, UDP, or both protocols. An application server typically listens on one or more fixed TCP or UDP ports. Deny by default policies should be used for incoming TCP and UDP traffic. Less strict policies are used for outgoing TCP and UDP traffic because most organizations allow users to access a wide range of external applications on millions of external hosts. Attackers can use ICMP types and codes to perform reconnaissance or manipulate the flow of network traffic. To prevent malicious activity, firewalls at the network’s perimeter should deny all incoming and outgoing ICMP traffic except for traffic explicitly permitted by the organization.
A network security policy sets out guidelines for computer access, determines enforcement, and lays out the architecture of the organization’s network security environment, and defines how the policies are implemented throughout the architecture. However, firewall policies are just a small part of an organization’s overall network security policy. Firewall policies go into the specifics of what traffic is and isn’t permitted. A firewall policy defines how an organization's firewalls should handle inbound and outbound network traffic for specific IP addresses and address ranges, protocols, applications, and content types based on the organization's network and information security policies.
Some firewalls implement policy through explicit rules, while others require configuring firewall settings that create internal rules. Some create policies and rules automatically while others use a combination of the above. At the end of the day, no matter how rules are created, you get a set of rules called a ruleset, describing how the firewall acts.
Check out these resources