This bugged me for a long time and I cannot find a clear answer. Suppose I want a rule to give all devices on one VLAN access to one device on another VLAN - all ports, IPv4. You can make a rule like this:
Action | Pass |
Interface | VLAN10 |
Protocol | IPv4 |
Source | any |
Source Port | Any |
Destination | 192.168.20.10 |
Destination Port | any |
Description | Allow VLAN 10 access to device |
But in many tutorials I see this:
Action | Pass |
Interface | VLAN10 |
Protocol | IPv4 |
Source | VLAN10_net |
Source Port | Any |
Destination | 192.168.20.10 |
Destination Port | any |
Description | Allow VLAN 10 access to device |
It seems to me that both rules do exactly the same and that you could go for the first one. Why should you put
VLAN10_net in there with the Source? The rule already applies to
Interface VLAN10 only right?
So devices in VLAN 10 cannot spoof their source IP address.
Quote from: pmhausen on March 25, 2022, 10:20:55 AM
So devices in VLAN 10 cannot spoof their source IP address.
I was under the impression that devices of an interface can only spoof IP's of their own subnet. So that seems not a problem here (if it's true).
It is not if there is no firewall rule in place to enforce that behavior. if you use "any", devices can use any source address.
Quote from: pmhausen on March 25, 2022, 10:59:33 AM
It is not if there is no firewall rule in place to enforce that behavior. if you use "any", devices can use any source address.
Oh oke, thanks. So that means for
allow rules I put VLAN10.net (in this example) and I can put
any for
deny rules?
But what about floating rules? They are for multiple interfaces, but I can only put 1 Source there...?