Difference between "ANY" & "Interface Net" as source

imcdona

What is the difference between choosing "ANY" vs "LAN net" as the source when configuring a firewall rule on the LAN interface?

The manual states:

any - 0.0.0.0 to 255.255.255.255, or all IPv6 addresses

LAN net - The subnet configured on the LAN interface under Interfaces > LAN. On pfSense 2.2+, this also

According to the above statements from the manual, choosing "ANY" vs "Interface Address" will get you the same result if your intent is to specify all hosts. When might one choose one over the other? Is there a best practice?

Babiz

@imcdona thank you for this question.
Well you can test by yourself if is some interesting notice to report happen!
So , please make first session test with default pfSense configuration loaded, and at the end of first testing stuffs, please go to :
Firewall / NAT / Outbond and swap the Outbond nat mode from Auto to Manual Outbound NAT rule generation.
(AON - Advanced Outbound NAT)disable auto rule generation , save new configuration and reboot for make new test session with auto rule generation disabled.

Thanks for your time

Derelict

Any is just that. Any address.

It is generally best practice to only allow traffic into your firewall that should be allowed in.

There is generally no reason to allow traffic into LAN that is not sourced from an address on LAN Network.

When you get into allowing traffic in from downstream routers the traffic you need to pass into an interface can expand.

imcdona

@derelict said in Difference between "ANY" & "Interface Net" as source:

When you get into allowing traffic in from downstream routers the traffic you need to pass into an interface can expand.

Brain fart...Duh! I suppose I got sidetracked when I interpreted "Lan net" to mean "anything behind the lan interface" as opposed to the networks directly attached to the LAN interface.

Thanks for that clarification.