Hi Andrew,

My comment is specifically about the network itself, and not any particular application, but...

Say your ISP/Network is assigned the subnet 20.30.40.0/24. At your border routers you would have ingress and an egress ACLs or firewall rules that:

a. only allow traffic into your network if it is destined for an IP in the 20.30.40.0/24 subnet (ingress)
b. only allow traffic out of your network it it comes from an IP in the 20.30.40.0/24 subnet (egress)

This ensures that:

a. you only accept traffic that is destined for a host on your network (usually this isn't an issue because it'll probably just get bounced back out via your default route when your border router realises that it cant actually reach the "bogus" destination, but might end up coming back in again, i.e. routing loop, or might just end up being null routed if there is no default route)
b. more importantly, you wont allow traffic to exit your network where the source address has been spoofed

b is the more important of the two. Traffic shouldn't exit your network from IPs that don't live on it. :-)

Now if you could add the the relevant iptables commands for this too, you would make it more likely that someone actually goes through the hassle of implementing this good advice!

I would, but unfortunately Im not an iptables man. Im a Cisco ACL man. :-)

Hi Tom,

Thank you for the reply. After I've meditated on this it made sense. I knew you were talking about the network in general. I just need to figure out how to implement this on the firewall I use. I can't imagine being able to implement an ACL that can do this on a bridged 678 running CBOS. :-) My 2620 however...my kingdom for a DSL WIC. :-(

Take care,

Andrew