Thanks for your update; this firewall just allows incoming traffic to DMZ network (they are disabled by default). We have next-hop setup for subnet on core switch to clearos system. With DMZ setup, there is no LAN involved - public IP is directly assigned to the machine behind clearos; just that you need to allow incoming connections in DMZ incoming firewall. With current setup (allowing just 1 IP per rule), we will need to create 256 rules for a /24 subnet! I can see the rule in iptables but unsure where exactly is this loaded from so that we can make backend update of rule to include entire /24 subnet.