Flash Gordon <spam@flash-gordon.me.uk> wrote:
> At least some of the cheap NAT/Router/"Firewall" devices (I know Leythos
> does not consider them to be firewalls, I'm not arguing that they are,
> they just claim to have firewalls) will reject packets from the WAN
> point that spoofed source IPs claiming to have originated in the LAN.

Yes. And I hope, that in future more and more such devices will be sold
configured like that.

> So
> in this instance the cheap HW device is clearly better than the Windows
> firewall because the windows firewall has no way of knowing whether the
> packet is coming from the internet with a spoofed address of from the
> local network.

You cannot compare that, because a user, who connects his computer with
the Internet directly and is using the Windows-Firewall has no "inside"
or "outside" addresses, because she/he is not using NAT.

If the user has a NAT router, then of course it should be configured
to filter, wether the user is using an extra Windows-Firewall or not.

Yours,
VB.
--
MAC-Filtering bringt so viel Schutz vor "Hackern" wie Zeitungspapier vor
einer Atombome. (MAC filtering is protecting against "hackers" like newsprint
is protecting against a nuclear bomb)
- Christian Forler in de.comp.security.misc