* vs. subnet as source for pass rules?



  • I have an interface called "myInterface" with 192.168.1.0/24. When defining a pass rule, is there a difference between * and selecting "myInterface subnet" as the source? Does the later one prevent IP spoofing?



  • You haven't provided enough information as to the context of the rule and exactly what you are trying to allow (or prevent) with it.

    Having said that, I would venture to say that many, many reports saying "it doesn't work" in the NAT/Firewall rule area involve a rule that specifies a source address or network instead of "any."



  • OK, a use case:
    Imagine I have a WAN and a LAN interface, so basically a simply pfsense standard setup.
    LAN interface is 192.168.1.0/24, the only rule on the LAN interface is either

    1. source: *, destination: *, port: 80,443
      or
    2. source: lan subnet, destination: *, port: 80,443

    Now a client is plugged into the LAN port. Are there any possible differences between the rules? What if the client e.g. doesn't have a IP of the subnet 192.168.1.0/24? Will his HTTP access be blocked in case of rule 2?



  • @srynoname:

    What if the client e.g. doesn't have a IP of the subnet 192.168.1.0/24? Will his HTTP access be blocked in case of rule 2?

    If the client plugged into the LAN port doesn't have an IP address within 192.168.1.0/24, then it will not be able to communicate on that interface at all. It's not a matter of rules.



  • Where I've seen this break is if you have another router on 192.168.1.0/24…. and behind it is say 192.168.2.0/24 and a device on that subnet tries to get out the WAN on your original router it will be blocked by the rule with "lan subnet" applied.

    Basic idea is only allow what's needed. If you need to allow a second subnet through then specifically allow it but don't put any unless you really don't care where the traffic is coming from.



  • @focalguy:

    Where I've seen this break is if you have another router on 192.168.1.0/24…. and behind it is say 192.168.2.0/24 and a device on that subnet tries to get out the WAN on your original router it will be blocked by the rule with "lan subnet" applied.

    That's really the only difference. The built-in antispoofing will prevent traffic sourced from an interface where that network doesn't actually reside per the routing table, so if you have a single subnet on LAN and no routes via that interface for instance, using "LAN subnet" or "any" for the source is functionally equivalent.



  • I've just seens I forgot to say thanks foru your posts, now I understand the (seldom) difference :-)


Locked