I've found the scope of my firewall to be somewhat self-limiting.
It is a difficult matter to firewall as many subnets as I do without incidentally blocking someone with whom access is required.
So then, in an effort to quell this issue once and for all I am putting specific firewall rules for those with whom I do regular business and even though they may be members of some supernet denied access they still get through.
That requirement necessitated a rework of the allows and it will be an ongoing high maintenance endeavor over time.
It's a persnickety way to handle those iron fist policies I have in place but hey ...