Firewall rules define how an internet firewall either passes or prevents network packets from traversing from one side of the firewall to the other.
Rules are written based on source and/or destination IP address, source and/or destination IP Port as well as other attributes contained within the network packets.
In a Unix system these 'rules' might be written using ipchains. For example:
ipchains -A input -i eth1 -p udp -s 0/0 -d 0/0 0:1023 -l -j DENY
Will not pass (ie will DENY) any upd packet incoming on ethernet interface eth1 with a port number below 1023
Using combinations of such rules, you can control what packets are allowed to enter or leave a firewall. This is the basis for protecting those systems inside the firewall from those outside the firewall.