We want to allow traffic from trusted sources to the internet, but still inspect the traffic. We want to disallow all other traffic
I tried this
drop tcp any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; sid:100003; rev:7; priority:1; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
pass ip 198.18.0.10/32 any -> ![10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,100.64.0.0/10,198.18.0.0/15] any (msg:"Allow traffic from 198.18.0.10/32 to all except private ranges"; sid:2000006; rev:1; priority: 2;)
But it will always let the traffic pass because of the pass rule, whatever the priority is. I even set the action order to drop first but the pass just gets priority.
The additional information requested is to help us understand the full picture. We have a template of sorts requesting contextual information. This often provides details that are needed to proceed.