> > We have a screend filter (from DEC).
> > In the Firewalls and Internet Security book on p. 66 it says that with
> > screend there is no protection against address-spoofing.
> The issue is that screend (like many screening systems)
> doesn't have the ability to filter based on where the traffic CAME
> from rather than from where it CLAIMS to come from. Newer versions
> of routers can do this, and I STRONGLY RECOMMEND that anyone with
> a router-based firewall upgrade their ROMs.
> Suppose I have a screening router with 2 interfaces, le0 and
> le1, where le1 is the "outside" and le0 is the "inside". Suppose my
> inside net is 192.33.112 and I tell the router it can "route anything
> from 192.33.112 to anyplace" but "only allow incoming traffic to
> go to my bastion 22.214.171.124" -- the flaw in the system is that
> the router has no idea if the traffic came in on le0 or le1. What
> if I have someone fake a packet so it comes in on le1 (the outside)
> claiming to come from 126.96.36.199, which the bastion trusts?
I can see how a packet could get INTO a "protected" net based on this
method but the router wouldn't route the response, unless source routing
was used. That would preclude TCP sessions. Can a UDP packet be used to
do any damage if there is no return path possible?
Or am I missing something ?
From: lavondes @
fr (Michel Lavondes)