Access lists should allow or deny traffic based on network security policies.

For example, your policy may allow all outbound traffic to flow without restrictions, while allowing access only to incoming traffic that has an established connection originating from the network.