How does today's firewall technology block intrusions?

Due to competition between anti-virus companies to vary/sell products, the function of a 'firewall' in a specific piece of software can vary.

You have the most common form of a firewall, which is a system in place to prevent intrusion into (mostly network based) based on a set of rules/policies. Ideally a firewall should block/restrict access to your computer from external networks based on rules blocking known harmful sources, ports, types/forms of traffic.

A standard/commercial firewall on your computer should block out access to 'vulnerable' ports to the public, such as the remote management ports. It should also have algorithms in place to block IP's if unusual behavior is detected such as an IP scanning ports, sending large amounts of data over a short time frame or using network unnecessarily or improperly. It may also use a database provided by the company to blacklist known malicious networks.

Traditionally, firewalls are on the edge of your network, and work only to prevent network intrusions, however more modern/commercial firewalls monitor systems 'internally', such as blocking software already installed on computers from accessing certain resources, or being able to modify certain files.

Firewalls do not need to be updated as often as anti-virus systems or malware detection systems, as they rely on up to date virus databanks to identify new malware. As network protocol does not change (unlike software updating, new OS's etc, constant change in software), the way the internet 'works' has remained the same for years. The only major change being the introduction of IPV6 which required new rules for firewalls to adhere to, as the network behaves slightly differently.