Matching All Egress Packets

Unlike ingress ACLs, for egress ACLs you must specify either a source or destination address, instead of writing a rule with no match conditions.

For example, an ingress ACL deny all rule could be:

entry DenyAllIngress{
	if {
	} then {
		deny;
	}
}

The previous rule would not work as an egress ACL.

The following is an example of an egress ACL deny all rule:

entry DenyAllEgress{
	if {
		source-address 0.0.0.0/0;
	} then {
		deny;
	}
}