As packets arrive at a firewall interface, initial checking are checked for basic integrity. A Cisco firewall uses this technique in its Unicast Reverse Path Forwarding (RPF) feature. When this feature is enabled on an interface, the source address in each incoming packet is inspected. The source address must be found in the firewall's table of known
ccie routing and switching , which in turn must reference the interface on which the packet arrived. In other words, the firewall just verifies that the packet would take the same path in reverse to reach the source.
The firewall drops any packets that don't meet the RPF test, and the action is logged. If the RPF feature is enabled, you should make sure any IP subnets that can be reached on a firewall interface are also identified with a
ccie routing and switching command on the firewall. That way, the firewall can find those source addresses for the RPF test (as well as send packets toward those destination networks).
The outside firewall interface is a special case, however. Usually, the firewall has a default route associated with the outside interface, because most of the public network or Internet can be found on the outside. How can a firewall check for address spoofing on packets arriving at the outside interface?
If a source address can't be found in the table of known
ccie routing and switching , the default route is assumed to match. Therefore, packets arriving from the outside pass the RPF test as long as the source subnet or a default route exists. If an outside host uses a spoofed source address that belongs to a host or subnet on another firewall interface, however, the firewall finds that the reverse path doesn't match.
In other words, Only those packets are dropped. However, if a host on the outside interface spoofs the address of another outside host, the firewall can't detect it, because the spoofing occurs on a single interface.
