> > a filtering router that restricts the input to your external interface
> > (known as an input filter) by not allowing a packet through if it has a
> > source address from your internal
> > network. "
> I am not clear on why this would not eliminate IP-spoofed packets
> all together.
Not only would I junk and log packets claiming to be from my internal
network but also junk and log packets that have bits set in the IP options
header. This would not protect against SYN attacks, just make it
more difficult for people to claim to be someone else whilst doing it.