Based on the way my network is configured, I am unable to connect one of my servers directly to a firewall for a DMZ. I wanting to allow anything coming into the server, but deny where it can go. For example...
Coming from the server
Permit traffic to Active Directory
Deny traffic to 10.0.0.0 - 10.255.255.255
Deny traffic to 172.16.0.0 - 172.31.255.255
Deny traffic to 192.168.0.0 - 192.168.255.255
Permit remaining traffic destined for the internet
Coming from my network
Permit all traffic to the server (basically to allow users to copy files to it, RDP to it, etc...)
There are some specific legacy applications on this server which I do not what them to have the ability to talk to the rest of the network, however there are Internet devices that need access to them (hence the above rules). From what I have been reading, this can be accomplished with reflexive access lists. Can a regular ACL do it instead of reflexive? If my only choice is reflexive, how would I go about implementing it?