I have a couple of questions with respect to Firewall-1's ability to
be configured to protect against the attack the recent CERT advisory describes.
Assumptions (for simplicity): The firewall configuration consists of a
single host acting as a gateway between the internal net and the
outside world, using Firewall-1 to filter packets. Other
rules/filters are in place to protect against other forms of attack, etc.
>From the documentation I've seen, FW-1 seems to rely mostly on the
address information contained in the packet and NOT the interface it
came in on.
The only thing that looks like it might do the job would be to install
a rule in the gateway FW-1 packet filter that drops all packets whose
source and destination are both in the internal net. The
gateway should never receive such packets for forwarding from the
inside, so i figure it's safe to assume they originated on the outside
and are bogus.
My questions: (A) will the above rule work the way it is intended, and (B) is
this sufficient to defeat this attack?