On 5/23/06, Molle Bestefich <molle dot bestefich at gmail dot com> wrote:
> But only for the WAN interface?
> Different customers on different subnets behind the firewall are free
> to spoof as they like?
No. Only the local subnet off of an interface is permitted outbound.
That's automatically taken care of. If you enter static routes off of
an interface, those antispoofing rules are opened to allow through the
network you defined in the static route as well. Outbound
antispoofing, by source IP, is taken care of.