An IP filter can contain both an allow and a deny element, although it is not required. The interaction between the two element types (and their masks) depends on the type of filter they inhabit. The filter type determines which element the system processes first (the primary), as shown in Working with the Effects of Filter Type on allow and deny Elements. The primary element determines the basic rules by which the filter operates. The secondary element defines the exceptions to those rules.
The examples that follow show the interaction between allow and deny elements.
These examples are for a restrictive filter. Masking principles for a permissive filter are similar, but the filter tests allow and deny elements in the opposite order.