If I create a firewall rule as such:

Accept - Forward - Src Address !192.168.1.0/24 - src Address-List LAN

Address List LAN:
192.168.1.0/24
192.168.2.0/24

This would accept forward from 192.168.2.0/24 but not 192.168.1.0/24 right?

My next question is why? Would the firewall rule go off specificity? Since the Src Address is more specific than the Src Address List is it going to take precidence over the src Address List?

Firewall rule trigfers when all properties, which are set, match. Properties, even if they seem to be similar (like src-address and src-address-list), are not handled "intelligently", they are handled in very straight forward manner. There is no magic (or AI) behind it. And no precedence, all properties are equal.

Thanks for the reply mkx. I’ve just tested this and it seems to work the way I want it to (e.g. allows 192.168.2.0 through the router but not 192.168.1.0). My question is though why does it work?

Since the above rule is essentially saying the source address must be and must not be 192.168.1.0 for the rule to match. That’s what got me thinking that the src address takes precidence over src address list.

Your rule has two (matcher) properties:

1. src-address-list=LAN
   The address list (among others) contains 192.168.1.0/24, so if packet's src address is e.g. 192.168.1.20, this property matches
2. src-address=!192.168.1.0/24
   If packet's src address is 192.168.1.20, then this property doesn't match (property matches everything but the specified subnet)

Since all properties of a rule have to match for rule to trigger, it won't trigger for packet from example: property #1 matches, property #2 doesn't match, both as a whole don't match.

If, OTOH, src address is, say, 192.168.2.40, then first property matches (it is part of one of subnets in the address list) and second property matches as well (since src address is not part of specified subnet) ... hence the rule would trigger as all properties match.

That makes a lot more sense. I get what you mean.

Thanks for clarifying!