I think the attacker won't be able to complete a TCP handshake if spoofing an IP, because the return packets won't be routed to the attacker.
The attacker would have to be on the local network, in which case the attacker isn't really bypassing the allow rule, because the allow rule is intended to allow anyone on the local netowkr.
The attacker would have to be on the local network, in which case the attacker isn't really bypassing the allow rule, because the allow rule is intended to allow anyone on the local netowkr.