“Oddly enough, this is something many people don’t think
about a whole lot. In some cases, you can simply deny everything
and have a few specific allow rules, resulting in a pretty tight
configuration. However, you will more likely have specific blocking
rules and allow most other things. This is usually based on
port numbers (i.e. service) and destination, but source is also
very important. Even if you only allow a few trusted IP addresses
to, say, connect to your “secret” web server, an attacker can still
spoof packets, and so on. You can reduce the risk by blocking IP
addresses that are in “high risk” environments, such as
universities, foreign countries and so on (assuming, of course, you
are not terribly interested in talking to them via the
Internet).”