"Rob Tanner" <tanner @
gov> asked about IP address spoofing:
> I'm putting a network behind a firewall that only about a dozen
> different folks need to get into. The firewall is composed of a
> single router and a bastion host running ftp and telnet proxies out of
> the TIS firewalls toolkit. The bastian host sits on the internet side
> of the router. The router will silently drop all UDP and all source
> routed packets.
Why not put a router/packet filter between the Internet and the bastion
host? Then you can tell the router to drop packets going to your
networks that have your IP addresses since nobody with your IP
addresses should be coming through the router from the Internet.