
Permit all
Given that every consumer grade firewall that I've ever used has the generic "permit all" policy for the LAN ... it's hard to be very surprised about this.
http://www.ranum.com/security/computer_security/editorials/dumb/index.html
Only four per cent (one in 25) information security products pass muster when first tested under a widely-used industry kitemark scheme. Most products require two or more cycles of testing before achieving certification, according to security testing outfit ICSA Labs. ICSA Labs, which has tested anti-virus and firewall …
I use pf on my OpenBSD box. In case you don't know, this is "packet filter". It is very simple. It does a very good job - it keeps out everything I need it to, and keeps IN everything I don't want escaping. It never needs updating. It works.
Your typical Windows firewall if full of whizzy graphics which don't actually do anything useful, and they are too clever for their own good. I don't know why they need "updating" every five minutes. Blocking a port will be the same today as it is tomorrow. Why would an "update" help. They are also mostly opaque - i am using zone alarm on my little laptop at home. I have no idea if it's doing anything useful or not. It seems to have a life of its own. All I would like to do is allow ports 80, 443, 83, and a few others outgoing, and block pretty much everything else incomming. I can't find how to specify this though. It seems to decide for itself what to block and allow.
Typical Windows - opaque and nobody actually knows (properly) how it works.
As mentioned above, vendors usually need to make tweaks or add features to pass ICSA certification. If you want a product that meets the test specification, you need to make the same changes to the default config. These changes used to be published in the ICSA lab notes, but they stopped publishing them about a year ago. So without knowing the settings used, the cert is pretty meaningless.