Firewall rules to allow a single IP to a single IP in a blocked subnet
I have an IP range that I block all local LAN from, so I had set up rules 9 and 10 below which have been working fine, denying all of my internal ranges and then allowing anything else. However, I have a situation where I need to allow a couple of IPs which are fixed to access certain IPs within the blocked subnets. So I set up rule 8 which allows 10.4.26.41 and 10.4.31.245 to access 172.16.11.18 the rule 9 below then denies the subnet 172.16.11.0/24 so that might be why its counteracting it.
Does anyone know the correct way to apply a configuration like this in order to suit my requirements?
Access control lists work like filtering potatoes: the potato goes through the first "hole" in the ACL that it fits through. If your traffic hits an allow that it meets the conditions for, it'll go through that "hole" before it hits the deny rule.
But potatoes only go one direction. ACLs send traffic back and forth.
Solution: Add a new rule after rule 8 to permit the traffic back from the 172.16.11 IPs to the 10.4.26 IPs. You need to have mirror rules.