Thanks everyone for the clarification.
On 5/18/05, Chris Buechler <cbuechler at gmail dot com> wrote:
> On 5/18/05, Don Munyak <don dot munyak at gmail dot com> wrote:
> > Is address-spoofing protection built-in to the default rules in
> > m0n0wall or is this something I need to apply to the filters tab.
> Spoofing protection is built into the "behind the scenes" rules that
> you can't see in the rules screens (go to status.php to see them).
> > ie..."Packets that claim to be coming from internal machines but are
> > actually coming in from the outside"
> those are dropped.
> > also "Internal packets that have external source adresses"
> Packets with source addresses that aren't within your LAN subnet are
> dropped outbound automatically as well. In the case of a router and
> multiple subnets off of your LAN interface, the static routes required
> for those subnets to function exempt those networks from the outbound
> anti-spoofing in addition to the LAN subnet.
> Also the "block private networks" box on the WAN interface page should
> be checked to drop RFC1918 private address space.
> As mentioned earlier, there are also bogon lists, which typically
> include multicast address space, unassigned network blocks, private
> address space, and other reserved address space that you should never
> see coming in from the internet. These change somewhat frequently
> though, so if you use them you'll need to make sure you keep them up
> to date.