8024F ACL very strange results

Hi

so I have my management box and a dell 8024F stacked (firmware 5.1.2.3) and then my test box

test box is 10.172.205.100/24 

dell 10.172.205.1/24

this is on vlan205

with no acl's i can

ping management -> test

ssh mgmt -> test

but if I 

access-list vlan205_test deny icmp any any

interface vlan 205
ip access-group vlan205_test in 5

my ping replies stop, I can see them getting to the test box and the test box replying to them.. So this is sort of strange, but whats even stranger is when I ssh from my mgmt box to my test box it fails, I can see the packets arrive so SYN and the test box send back a SYN-ACK, but it never makes it back.

I would have thought that a connection started from out side vlan205 would allow reply packets back, plus I am not blocking ssh ?

maybe I am missing something ?

edit

I tried this

access-list vlan205_test deny icmp any any
access-list vlan205_test permit tcp any eq 22 any

instead allows packets out with source 22.

From this i am getting that its blocking reply packets from streams initiated outside vlan 205.

I hope im wrong and its a miss config

another question to tag onto this

Rules within an ACL are evaluated
sequentially until a match is found, if any. Every ACL is terminated by an
implicit deny allrule, which covers any packet not matching a preceding
explicit rule.

this is what it says in the reference manual, but I can apply multiple rules ip-access group <name> in seq num

if there is a deny all at the bottom of each ACL how can it ever process more than 1 ACL for an interface 

edit okay solved part of my puzzle

10.0.0.0 0.255.255.255 not 10.0.0.0 255.0.0.0 ... its the inverse mask ...!

EDIT: more testing

I am not going to rewrite, people might see my path i took.

1) get the masks right.... 

2) it seems like the dells need acl rules to handle reply packets (not like the cisco)

My initial plan was to build inbound filter rules (in build on the interface of the vlan. and I had presume that what ever I allowed in would automatically allow it out.

in my example if I have

no access-list vlan205_test

access-list vlan205_test permit icmp any any 

access-list vlan205_test deny ip any any

which say icmp can come from inside

every thing else is blocked

On a cisco I can still ssh from my mgmt box to my test box, seems like I cant on dells !

I am hoping thats me miss configuring something