Interface groups / IP spoofing

[bewue]

Currently I have created firewall rules on several interface-tabs.
The firewall rules of some interface-tabs are basically the same.
I would like to summarize these interfaces in a group interface:

Code: [Select]

IPv4 ICMP   LAN1 Net    *     Other Net
IPv4 TCP    LAN1 Net    443   Other Net
...

"LAN1 Net" is the directly connected network on the interface-tab in the example.
"Other Net" is the same on all interfaces-tabs i want to group.

These rules effectively prevent spoofing the source IP.

In order not to maintain all rules on every interface I want to create them on a group interface only once.
A rule on the group interface would look like this:

Code: [Select]

IPv4 TCP    Group-Interface   443    Other Net
But now spoofing would be possible.
Packages with any source IP from "Group-Interface" networks could be sent from
any interface from "Group-Interface" to "Other Net".

It seems that anti-spoof rules are automatically created (on top in the rules list):

Code: [Select]

block drop in log on! xn4 inet from 10.10.0.0/24 to any
Would be the "quick" keyword in this rule enough to solve my problem?
Is there a fundamentally different solution for my problem.

[bewue]

no ideas?