Filter rules dictate what kinds of IP traffic are allowed into, out of, or through the system. When packet filtering is active, the firewall filter driver intercepts every IP packet that passes through the TCP/IP stack, and checks it against the current filter rules in order to determine whether it should be allowed to continue. If no rule can be found which matches the packet, that packet is blocked.
Any traffic which is to be allowed through must therefore match the criteria defined by at least one active filter rule.
This 'deny by default' behaviour can be altered by adding a filter rule which explicitly permits all traffic. Individual rules may then be added which selectively deny certain types of traffic. This would, in effect, change the behaviour of the firewall to 'permit by default'. (See the Examples section for an illustration.) If you wish to do this, keep in mind that 'permit by default' is inherently a less-secure policy than 'deny by default'.