That is basically what you have when you set the "allowed from" in the service. At least when you can confine your internal networks using IP subnet declarations.
Also, you can match on in-interface in firewall filters. So you don't need to match on source IP when you don't like to.
No, it isn't the same. "allowed from" allow you to open a socket to that service, and if it your src ip address isn't listed, it will close the connection. If service daemon is vulnerable...
Vulnerable to what? This close of the connection occurs before any data exchange. It is not an RST reply to the SYN as was suggested by someone else, that would be even better, but it is SYN/SYN ACK/ACK/FIN ACK/FIN ACK/ACK, all without any data being exchanged. There does not appear to be much room for vulnerability exploits.
And what if you send a specially formed packet, and the router answers with the whole user database content? I prefer a brick wall instead of a door with 20 locks
Somethng about TCP connection usage in applications. There are basically these steps which occurs in TCP conenction life:
1) LISTEN phase = application/daemon indicates that it is waiting for a connection
2) ACCEPT phase = a connection is established by a remote and application is informed that there is a connection in queue ready to be served. The application calls 'accept' function on the connection and receives basic information about the remote side (IP address, port). And this is the time when allow-from is checked. If all is OK the step 3) occurs, if not the connection is closed. It means the application reads no data from remote but just informs the kernel to close the connection.
3) reading/sending data
4) connection close/teminate
Yes, there is a possibility that some packet type/content can cause the kernel (TCP/IP stack) will go nuts (there were ping of death packets etc) but the chance that it will allow to read /etc/passwd file very low IMHO (I wouldn't like to be wrong). Since there are tons of lines of software which handles the packet delivery (network drivers, TCP/IP stack) before it reaches firewalling rules, there still is a chance that something wrong can happen.
There is a possibility to upload filtering rules directly to network card (not supported by ROS) but the card is full of potentially badly written software too