A firewall ruleset is one of the few artifacts in a network that only grows. It begins tight and deliberate, and over the years it accretes exceptions, temporary rules that quietly became permanent, allowances for hosts long decommissioned, until no one is certain which lines still matter and no one wants to be the person who removes the one that does. The cause is rarely incompetence, it is the absence of a few disciplines applied consistently, and the remedy is not a better appliance but a set of habits enforced every time a rule is written and every time the ruleset is reviewed.
The foundation is default deny. The base policy should drop anything not explicitly permitted, because an allow list is bounded by what you have chosen to open while a block list is bounded only by what you happened to anticipate, and an attacker works precisely in the gap between the two. On top of that, rule order is not cosmetic, because a firewall evaluates rules top to bottom and acts on the first match, so a broad permit placed above a narrow deny will shadow it and the narrow rule will never be reached. A great deal of behavior that looks like a firewall fault is a higher rule matching traffic before the intended rule is ever consulted, which is why ordering, and periodic audits of rule hit counts to find rules that never match, belong in every review.
Least privilege is where most rulesets fail quietly. A rule should specify a source, a destination, a protocol, and a port, scoped as narrowly as the requirement allows, because any to any is not access control, it is the documented absence of it. Modern firewalls are stateful, they track flows in a connection table and automatically permit the return traffic of an established session, which means you permit the initiating direction and let connection tracking handle the reply, rather than writing explicit return rules, a habit carried over from stateless access lists that doubles the size of a ruleset and widens the surface for no security benefit. The state table is itself operational knowledge worth having, because its timeouts and its capacity are finite, and an exhausted connection table fails in ways that present as an application problem until someone thinks to look at the firewall.
What keeps a ruleset trustworthy over time is visibility and accountability. Log denied traffic, not only permits, because the denies are where scanning and reconnaissance first appear, and a permit rule that never registers a hit is a candidate for removal at the next review. Every rule should trace to a request, an owner, and a date, so that a rule whose purpose has been forgotten can be questioned and retired rather than left in place out of fear of what it might be doing. A firewall is not a product installed once and trusted thereafter, it is a living statement of what the network is permitted to do, and its accuracy decays without maintenance. The engineers who keep one effective treat the pruning of rules with the same seriousness as their addition, because a ruleset that only accumulates eventually protects very little, it merely records every decision that anyone was ever afraid to reverse, and a control no one understands is a control no one can trust. A fuller treatment of firewall policy is available in NIST SP 800-41.