ip spoofing

I have seen what should be default rules for firewalls described as
deny any address from your internal network
deny any local host addresses ( example 127.0.0.1 )
deny any reserved private addresses
deny any addresses in the IP multicast address range
then i also saw this advise
"have separate inbound and outbound ACL's to ensure that the data that's leaving the network comes from a different source than data that's coming into the network"
so I think i get the last one, I thought that would be a way to prevent IP spoofing. because if someone is spoofing, the data they are sending will actually be coming from the outside. Does that sound right?
I really can't picture the purpose of the other rules though. for instance, why would i want to " deny any address from your internal network" wouldn't that mean that if one of my interior network addresses is 192.168.0.2, and if the firewall denies data from that address ( the internal network ) then that client couldn't, for example, send requests to web servers to look at web pages. that person would click on a link, and that request is denied on the firewall? is that what that means?
basically if someone has some good visuals of what is happening with these firewall rules, i would really appreciate it.
LVL 1
JeffBeallAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

harbor235Commented:
""have separate inbound and outbound ACL's to ensure that the data that's leaving the network comes from a different source than data that's coming into the network""

Right, you want to add a outbound filter that allows traffic sourced from your internal networks, this guarantees no-one is spoofing traffic from your internal networks,  , if everyone implemented outbound filters then the traffic originating from their networks would be o0nly legitimate traffic from their IP blocks only.

"deny any address from your internal network"


harbor235 ;}
This is for the inbound filter and its for traffic sourced from your internal nets, this means you should never receive traffic from the outside sourced from your internal nets, you see? you nets are on the inside how can they be outside?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mikebernhardtCommented:
"have separate inbound and outbound ACL's to ensure that the data that's leaving the network comes from a different source than data that's coming into the network" means:
Create an inbound list which denies traffic sourced from your own public addresses, and an outbound list which ONLY allows traffic from your own public addresses. Does that make sense? Then no one can send you data with your source address, and no one on your network can spoof someone else's addressing (good internet citizen).

Your policies should also deny PRIVATE addresses from coming in. And unless you are doing NAT on the outside of the firewall, it should also deny private addresses from going out.
0
JeffBeallAuthor Commented:
thank you.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.