In the firewall rule examples, which component identifies the traffic source in a deny rule?

Traffic source in firewall rules is identified by the IP address. IP addresses name hosts across networks and are what routers use to determine where a packet originated, making them the primary filter criterion for who sent traffic and from where. MAC addresses, while useful on a local network segment, don’t survive routing—routers replace the source MAC as packets traverse networks—so they aren’t reliable for identifying the origin in deny rules that apply across networks. Port numbers specify a service on a host (like port 80 for HTTP) and help match traffic to a particular application, not identify who sent it. Protocol indicates the kind of transport (TCP, UDP, ICMP) but not the sender’s identity. So, the component that identifies the traffic source is the IP address.