Rich Brown <richb.hano...@gmail.com> writes: > - I have added a BCP38 page to give an overview of that page. A > question that I haven't seen addressed in the commentary on the list: > Does this BCP38 implement also filter out spoofed source addresses? (I > imagine it would, but the pages don't specifically say so.)
It blocks the configured subnets: - at ingress on one - at egrees on destination. I.e. a packet arriving on the WAN interface *from* one of the configured subnets or a packet departing the WAN interface *towards* one of the configured subnets will get dropped. You could presumably still send a packet from the inside with a spoofed source address, but that source address would then get rewritten by the NAT filter... -Toke
signature.asc
Description: PGP signature
_______________________________________________ Cerowrt-devel mailing list Cerowrt-devel@lists.bufferbloat.net https://lists.bufferbloat.net/listinfo/cerowrt-devel
