Firewall ACL — FW-EDGE-01

Stateful firewall, conntrack enabled, first-match-wins, implicit deny at the bottom.

Active policy

# rule  action     src              dst              proto  dport     comment
1      permit  any              any              any    any       state ESTABLISHED,RELATED
10     permit  any              10.0.5.40        tcp    443       webserver HTTPS
11     permit  any              10.0.5.40        tcp    80        webserver HTTP
20     permit  10.0.0.0/8       any              tcp    443       outbound HTTPS from LAN
21     permit  10.0.0.0/8       any              udp    53        outbound DNS from LAN
22     permit  10.0.0.0/8       any              tcp    80        outbound HTTP from LAN
50     deny    any              10.0.5.40        tcp    22        no SSH on webserver
100    permit  10.0.0.0/8       any              any    any       LAN any outbound
# implicit deny all

Packets to trace

#	Direction	Proto	Src	Dst
1	WAN→LAN	tcp	203.0.113.55:54123	10.0.5.40:443
2	WAN→LAN	tcp	198.51.100.7:51200	10.0.5.40:22
3	WAN→LAN	udp	8.8.8.8:53	10.0.10.20:54123 (reply to existing query)
4	LAN→WAN	tcp	10.0.5.40:443	203.0.113.55:54123 (reply on existing session)