Why does ACL order matter?

Most ACLs evaluate top-to-bottom and stop at the first match. A broad permit at the top will silently shadow a narrow deny below it. Always place specific rules first.

Should I use named or numbered ACLs?

Named — they're self-documenting and you can edit individual lines. Numbered ACLs are legacy on most platforms and harder to maintain.

// tool/acl-builder

ACL / Rule Builder

Generate readable firewall and router rules from source, destination, port, and action intent.

What this is

ACLs and firewall rules are easy to write and hard to review. This builder takes the intent (who, where, which service, allow or deny) and emits a rule that's vendor-correct and reviewer-friendly — including the order matters reminder for stateless platforms.

What it covers

›Vendor-aware formatting
›Object naming guidance
›Permit/deny clarity
›Change-review output

Operator notes

$Write the business intent before the rule.
$Prefer narrow sources and destinations.
$Place rules carefully; order matters.

status: Rule generation UI will be added after the core page migration.

ACL builder

VendorSourceDestinationProtocolActionPort

permit tcp 10.0.0.0/24 host 192.168.1.10 eq 443

Frequently asked

Why does ACL order matter?: Most ACLs evaluate top-to-bottom and stop at the first match. A broad permit at the top will silently shadow a narrow deny below it. Always place specific rules first.
Should I use named or numbered ACLs?: Named — they're self-documenting and you can edit individual lines. Numbered ACLs are legacy on most platforms and harder to maintain.

What this is

What it covers

Operator notes

ACL builder

Frequently asked

Related