Now try one you WANT to work: 172.16.100.0/24 Rule 1: 172.16.100.0/24 IS a match, so invert that = FALSE - rule fails, proceed to rule 2 Rule 2: 172.16.100.0/24 does NOT match 172.16.101.0/24 - invert that -> TRUE - Action = Discard So, rule 2 drops the stuff rule 1 should keep, and rule 1 drops th...