FWIP.SYS works in the following manner:

While, strictly speaking, it is not necessary to define specific rules to deny packets (as the firewall's default rule will catch them) it is advisable to do so, as a precaution against mis-configured 'permit' rules later in the list.

Because FWIP.SYS stops searching through the list when it finds a match, a specific deny rule will catch a prohibited packet before it has a chance to be matched against any mis-configured rules in the rest the list.