LAN net (macro) as Source vs specifying any (*) as Source in a rule
-
Could someone help me understand the functional difference of creating a Firewall rule on an interface and setting the Source as "LAN net" vs just leaving the source field as Any (*)?
Thanks!
-
This post is deleted! -
It will only match traffic sourced from the LAN subnet.
Usually that would be the only traffic you see if the rule is on the LAN interface but if you have other subnets routed via a gateway on the LAN traffic from them would not match.
It's good practice to use firewall rules that are not unnecessarily open. So if you are passing traffic on the LAN you probably want to use source LAN net to prevent unexpected/incorrect traffic being passed.Steve
-
@stephenw10 Thanks that helps clear up that question.
-
It is even more critical when you have rules with a gateway set. If you allow from a source of
*
and have a gateway set, it's possible to accidentally cause pf to forward broadcast traffic which could cause a network traffic loop.