Controllerless Networks

We're implementing access control in the iAP for the first time - formerly done in upstream firewall, but it's time to allow one SSID better access than another.

The process seems straight forward, but I'm confused about direction.

The 6.3.1.1-4.0 User Guide states: "You can create rules for either inbound traffic or outbound traffic."

I've got a bunch of rules which appear to work exactly like I wish from wireless client to specific destination hosts, but I can't figure out how to enter a rule allowing a specific host to access one of the wireless clients.

three questions:

1. With regards to the iAP firewall, what is "inbound" and what is "outbound?"

2. It appears that the rules are tested sequentially and the first match is acted on, is that correct?

3. How do I allow a server in the wired network to access a client in the SSID/role covered by the ACL?

1) unless I'm mistaken, the rule will apply to both in/out bound.

2) correct,  they are applied top down.

3) if your rule allows access to that server, then it is both directions, afaik, though that is easily tested.

You've confirmed my expectations, so here's what I'm seeing and can't explain:

Rules in the iAP:

Note the next to last line...

deny's as reported to syslog:

Those would be telnet session responses and so I'm expecting them to pass just fine.

Any thoughts on why I'm seing denies?

Wouldn't you also want an allow any on server 10.22.25.167?

Not if #1 is correct in the prior post on anticipated behavior.

"any and 10.21.10.5"  should apply both ways.

Were you referring to this:  "1) unless I'm mistaken, the rule will apply to both in/out bound."?  

Any progress made towards understanding and configuring rules to access clients vs rules of what clients can access?