Firewall/NAT

When you make a rule, you might say it applies to everything that enters LAN interface.
Then you define the source that should be matched, and then you can match a single host for example, or you could match LAN Subnet or *, and I wonder what the difference could be between subnet and *.

I mean, all the pc that could possibly communicat out through the LAN interface must (right?) be a part of the LAN subnet, so might there ever be any reason for putting * there instead or will it always give the same result?

I just tried myself, I wasn't 100% sure, so I took a /28 subnet on one interface, and configured a pc to use a IP outside that /28 but with /24 netmask, I thought maybe the interface would accept it and I could bypass firewall rules blocking on subnet source instead of *, but it didn't work, so I guess no pc could ever get use of a local interface if the subnet doesn't exactly match, and then source=subnet would equal source=*.

Anyone?
It doesn't matter much, I just want to know how stuff works...I've mostly used subnet as source so far, but if its incorrect for a fully secure rule-matching let me know.

Thanks

in your use case, there maybe no difference between * and subnet.  In my use case, I have multiple subnets inside the firewall, via other routers etc and vpns, and I have static routes on m0n0wall to help make all this work.

* would block traffic to everything routed via that if, not just the configured range ...

Yeah of course, that must be one case where it matters. For me maybe it doesn't at all, with only direct and local subnets.


But damn, bedtime here, and your answer just brought a thought to my head that I should know the answer to

I cant communicate to any pc, or the routers interface, if I'm on the wrong subnet.
But when a pc sends traffic that is router through a router, when it exits the router and enters another interface, then its on another subnet but the original source is of course on another net....how can the packet flow on through different networks? The router doesn't like overwrite the source adress, and I dont remember it being like two IP-source-fields in TCP/IP.
How come the router can send a packet that gets through, with a source IP of some other network, when a simple host cant get any connection if its IP doesn't match the network its connected to.

Oh well, off topic and all, and it must be plain stupid cause I'm tired and I've forgot so much networking the last year.....just writing this crap down so I remember it for tomorrow and can dig into it and see where my logic totally fails

I guess its all got to do with layer 2....if a pc gets a arp-request from a pc on another network then that pc just wont answer, so the "outsider" not belonging to the network never gets the MAC's needed to send anything.
That MIGHT be a reason a pc with the wrong network configuration cant communicate, but if he anyway knows the MAC for for example the router interface maybe he can still force traffic out of the network?

I mean, the router (or any other device) cant just look at the IP and say "hey that source IP dont belong here" because it could as well have been routed from another network so THAT just cant be what separates them.

Hmmm....

EDIT: My CCNA book says that a host recieving a ARP just checks if the packets destination matches its own IP, and if it does it sends a answer to the asking MAC-adress.
I start to wonder if this is something I have once understood, or if I just never have given it any thought....that is, what makes a pc not belonging to a local network isolated. :s

Hehe, going crazy here

I think its like this, the pc with the wrong conf, not fitting in a local subnet, does never even try to send anything...its stopping itself of course. If dest is on another netw it sends to its DG, and that DG wont exist since its in the wrong network so noone will answer on that eventual ARP-broadcast that will come out.

If on the other hand the pc would break the rules (theoretically) and anyway send a packet direct to the destination host on the same physical network (but not same logical since sending host has wrong conf) then I guess the traffic actually comes through.
The ARP response will probably get back also since its just layer 2.
When the wrongly configured host then tries to send regular packets, TCP or whatever, it sends directly to its newly learned MAC so it will get through, but I dont know what will happen when the other end answers....if it will go by MAC and find right way through the switch, or if it will look at IP destination and send to its DG and packet will be lost since router wont find dest for that wrong confed private network.