A brief early history of firewalls

As the internet was just beginning to welcome commercial usage in the late 1990's, it became apparent that not everyone that had access would use it for the altruistic reasons set out by the initial community. I had the opportunity to work with some of the first firewalls, providing network and systems security consulting to the City of Palo Alto, CA. Palo Alto, then the home of Digital Equipment Corporation (DEC), billed itself as "The First City in Cyberspace." Their website drew a lot of attention, not all of it the type they wanted.

The earliest implementation of the firewall at Palo Alto was a DEC unix based system, with what at the time was an unusual two NIC cards. The computer was situated between their internet connection and their web server, and ran a program called gated. The configuration was referred to as a "bastion host" (see below.) Gated was a fairly simple application. It examined the source address of a packet, and if the address was on a list of known malicious sources, it was dropped, otherwise, it was forwarded out the second NIC to the web server. Outbound packets were not filtered and gated had to be re-compiled to add new hosts. The policy had to be allow unless denied. The firewall worked entirely at the network layer.

http://lib.ru/SECURITY/firewall-faq/firewall-faq.txt_with-big-pictures.html

Clearly, there were some great limitations to this approach going forward. One had to know the malicious sites ahead of time, and the firewall was not at all selective about services. Later firewalls would become much more flexible and effective, allowing security minded companies to switch over to a deny unless allowed stance, which is much more secure.