When would traffic for an interface be coming from something other than the interface net source?

imthenachoman

When creating a FW rule for an interface, I can understand matching by a single host/alias but the other options don't make sense to me.

When/how would traffic on LAN not be coming from LAN net? Like, why are all the other options in the drop-down even an option?

netblues

It also works as destination target.
Say you want something from a dmz to be able to reach all hosts on another interface.
It would be host to lan net rule.

These are just aliases, used for ease of use.

imthenachoman

@netblues

Say you want something from a dmz to be able to reach all hosts on another interface.

But then the traffic would be coming from said interface, no?

netblues

@imthenachoman obviously, yes

imthenachoman

@netblues So if you want something from a DMZ interface to be able to reach another interface, the interface would be DMZ, the implied source would be DMZ net, and the destination would be whatever you want.

Why would you need to set a source?

I guess I am trying to find a situation/use-case where you would NOT set source to any.

netblues

@imthenachoman what If you need a single host from the dmz and not the whole net
And in a more general case
What if you wanted a specific host on the Internets that you trust to have access to a resource behind pf.

Nowdays, with nat and vpn this isn't very common, but there are use cases.

imthenachoman

@netblues I see. That makes sense. Thank you!