Packet-Filtering Access Rule Structure

In the context of packet filtering, an ACL is applied to an interface either inbound or outbound on that interface. If applied inbound, all packets attempting to go through that interface must be permitted by the entries in the ACL. Access lists are processed in a top-down fashion. As soon as the firewall identifies a match from a single entry in the ACL, it then implements the action of permit or deny (based on what that entry in the ACL says to do) on the packet, and then the firewall moves on to the next packet and does the list again from top to bottom, or at least from the top until a match occurs. If there is no match in the ACL, the packet-filtering function assumes the worst and denies the packet.