Adding an explicit "allow" rule causes return packets to drop

Question

I'm trying to set something up where I have a rule for a particular device on my LAN that will reject all traffic from that device to the internet (WAN on my XG), but then be able to define allow rules to sit above it in the rule list so that I can open up certain services. The problem is that even without the "reject" rule in place, the "accept" rule breaks communication! I'm so confused. 
 With the accept rule enabled, I can see packets go out through the rule in the logs, but nothing comes back. If I disable the accept rule, then communication works fine. What am I doing wrong?? 
 From the log (shows 0 packets received): 
 
 Rule list: 
 
 Rule configuration: 
 
 To test, I'm trying to get to zoom.us from the "VTP White" device. I previously had the source zone set as LAN and destination zone as WAN, but changing them to Any/Any didn't change anything.

Nicholas Bethard · Accepted Answer

I changed something (not totally sure what) and NTP started working as well. So indeed it seems that lacking a NAT rule (simple MASQ rule) linked to the "allow" firewall rule was causing the problem. 
 Prior to adding the linked NAT rule, the logs for a packet going out looked like the snip in my original post (for the zoom.us:443 and time-a.nist.gov:123). Packets sent, but no packets received, and no translated IP. Now everything looks correct in the logs and its all working properly.

Adding an explicit "allow" rule causes return packets to drop

Top Replies