I'm replying to this with a bit of uncertainty, since I didn't see the
original post, but someone else forwarded it to me. So please understand
that this is in the order of a reply, not a shameless advertisement.
In setting up any firewall, it is considered good practice to limit the
firewall to 2 interfaces; the inside and the outside. It is certainly
possible to do a firewall with multiple interfaces, but it's not recommended.
If that is impossible, then the router to the internet itself (assuming that
you have a perimiter net) should carry the anti-spoofing filters, rather than
the internet firewall itself.
Another possibility is that if your router with multiple ethernet interfaces
has a DIFFERENT NETWORK NUMBER (Not just subnet) then you can set up filters
which protect each of them. The drawback here is that you have to protect
Inside net#1 from the outside, and Inside net#2 from the outside, but you
have to allow Inside net#1 to talk with Inside net#2, and THAT can be
That said, if you limit yourself to two interfaces on a 3Com router, setting
up the filters (Filter Addresses really) to deny spoofing attacks is actually
pretty easy. You can only use multiple interfaces if only ONE interface
is for the internal network, and all others are considered OUTSIDE.
If you IP Address is (using ours for example) 129.213.x.y, the filter setup
would look like this:
add -ip FilterAddr 184.108.40.206/0.0.255.255 <> 220.127.116.11/0.0.255.255 Discard
The <> will cause the FilterAddr to be counted for traffic both directions,
and the overall prohibition is to check the source and destination addresses,
and discard anything which looks like inside-to-inside traffic.
If your particular perimiter net uses the same basic IP Address, then you will
have to add Filters and FilterAddrs tp specifically allow the inside (or
specific hosts inside) to talk with your bastion host for maintenance work.
I hope that helps,