Lockdown Rule
Here you see a simple rulebase that includes the lockdown rule (rule #2).  See the bottom for a detailed explanation of each rule.
 
 
 
Rule 1.   Allows only specific systems to make admin connections to the firewall.  The service "FireWall1" is a predefined service that defines all the critical administrative ports.  You may have to create several additional rules allowing firewall access depending on your setup.  Examples include if you are using encryption or content vectoring.

Rule 2.  This is the actual lockdown rule.  It denies any other connection attempts to the firewall.  I select "drop" as the action, instead of "reject", since this will give out less information and make scanning take longer.

Rule 3.  This is a standard "allow anything outbound" rule.  Many organizations allow their internal users any service outbound.  In this example, these sessions are not logged since they are "trusted" and will quickly fill up the logs".  If this rule were placed before rule #2, then any internal user would have full access to the Firewall.  The destination Any in this rule includes the firewall.

Rule 4.  This rule allows the Internet to connect to an internal mailserver.  Many companies receive email in this manner.

Rule 5.  The standard clean up rule.  If the session was not accepted, drop the packet and log the session.