A firewall at the subnet level. Controls the traffic can enter and leave the subnet.
By default an ACL allows all traffic in and out.
ACLs are stateless, regardless of whether a message is associated with an existing connection or not, if the rules disallows it then it will be blocked