Firewall Rules: Use "Foo.net" in source or "any"

[flushell]

This bugged me for a long time and I cannot find a clear answer. Suppose I want a rule to give all devices on one VLAN access to one device on another VLAN - all ports, IPv4. You can make a rule like this:

Action	Pass
Interface	VLAN10
Protocol	IPv4
Source	any
Source Port	Any
Destination	192.168.20.10
Destination Port	any
Description	Allow VLAN 10 access to device

But in many tutorials I see this:

Action	Pass
Interface	VLAN10
Protocol	IPv4
Source	VLAN10_net
Source Port	Any
Destination	192.168.20.10
Destination Port	any
Description	Allow VLAN 10 access to device

It seems to me that both rules do exactly the same and that you could go for the first one. Why should you put VLAN10_net in there with the Source? The rule already applies to Interface VLAN10 only right?

[Patrick M. Hausen]

So devices in VLAN 10 cannot spoof their source IP address.

[flushell]

So devices in VLAN 10 cannot spoof their source IP address.

I was under the impression that devices of an interface can only spoof IP's of their own subnet. So that seems not a problem here (if it's true).

[Patrick M. Hausen]

It is not if there is no firewall rule in place to enforce that behavior. if you use "any", devices can use any source address.

[flushell]

It is not if there is no firewall rule in place to enforce that behavior. if you use "any", devices can use any source address.

Oh oke, thanks. So that means for allow rules I put VLAN10.net (in this example) and I can put any for deny rules?

But what about floating rules? They are for multiple interfaces, but I can only put 1 Source there...?