In some mail from Travis Hassloch, sie said:
> It doesn't keep connection state in the packet like TCP does,
> but that doesn't mean a gateway can't. Besides, if you
> rely on what the TCP flags say you're opening yourself
> up to passive port scans (i.e. scans based on packets with ACK
Not if you've half a clue about things. Some vendors are missing
half a clue but.
> >Note: ingress traffic filtering is a concept of filtering
> >traffic leaving your administrative domain so that only
> >traffic which is announced via routing (e.g BGP) is allowed
> >to exit your routing domain. This does nothing to protect
> >you from an attack, but it does disallow downstream users
> >from launching attacks using nonexistent source addresses.
> Is this the multi-network equivalent of blocking outgoing
> packets which don't appear from being part of your internal
Yes. Something all routers should do, anyway.