Many or most open source and commercial firewall have some basic rules that are configured when the product is first installed. These rules are defined in an access control list (ACL). One such rule is based on concept of the Implicit Deny. Implicit Deny means that the default answer to whether a communication is allowed to transit the firewall is always No or Deny. An implicit deny is often the last rule or ACL in the firewall configuration.
When first getting started the majority of ACLs tend to allow traffic to pass. This is important in order to let traffic from authorized users and sites into the network where each connection will be authorized. Examples of this would be allowing virtual provate network (VPN) inbound to a VPN concentrator; where individual users are authorized.
Firewalls process communication inbound or outbound, based on the highest priority or most specific ACL that applies to the lowest or most generic ACL. Once a access control element (ACE) is found with conditions that match, that ACL is executed by the firewall. Allow, Deny & Discard are actions that the firewall can be configiured to take for any communication that match a particular ACL.
When traffic is found to match the conditions of an ACL with the Deny action, the communication will not be permitted to proceed. The communication is dropped by the firewall. A RST (reset) packet sent back to the originating device and the communication will be ended. The RST packet is a communication that goes back to the originator of the traffic stating that the connection has been closed.
An ACL using the Drop action is often referred to as a stealth mode rule. This option is much like Deny in that it will stop and drop the communication. However using Drop action, the firewall will not send a RST packet as described in the Deny action above. When the RST packet does not go back, the originator has no confirmation that there is a device to respond at the IP address that is trying to reach. Even if the originator suspects that it is a security function that is stopping it, they will still not know anything for sure.
The implicit deny feature is used when traffic comes into the firewall and no ACL meets the condition to allow it through, the firewall will drop the communication.