So many people have already made firewalls why not take a look at the different existing solutions:
<li>AmazingPorts – easily to set up free firewall that handles most situations Ryan suggests</li><li>pfSense – traditional simple free firewall</li><li>FreeBSD – traditional *ix OS that has great bulit in firewall capacity</li></ul>
From a administrative standpoint I wouldn’t go for the “close all” and then open strategy as it has a couple of inherent weaknesses when it comes to user-networks:
-You are not available to open ports when required, thus other people will suffer and/or wait.
-It will create immense amount of work for you/the administrator
-Security is usually not better as any real “crook” will use port 443 anyway as it will be open and allow encrypted packets.
For these reasons I believe NAT (Network Address Transalation) is outstanding as it protects your network from the outside world without hindering anyone on the “inside” to perform his work.
With regards to server networks, I agree with Ryan completely.