Yep
Start with block all, allow nothing. Slowly open services/ports as needed per application. Whenever possible create as specific a rule as possible. For example, rather than allow inbound http/https to the webserver network, restrict to specific IP's of the webserves. Same goes for every service, in each direction.
Since you asked question 4, you really should brush up on tcp/ip first. You need a baisc understanding of udp/tcp/IP in general before you can get into securing IP.
Something like
http://www.dummies.com/WileyCDA/DummiesTitle/productCd-0764517600.html is a great start.