Spoofing?

[infrared013]

Can anyone explain to me what a "spoofing group" is and why i need to add it in the topology configuration for an interface?

[melipla]

In short, anti-spoofing was designed to stop a computer from faking another computer's IP address. Spoofing is generally used by viruses or zombie PC's to hide their origin so that they can perform malicious activities like spread themselves or DDoS someone without being caught.

On a specific Interface properties for a gateway, you have two options sections: Topology and Anti-Spoofing. Identifying the topology of an interface is listing all the IPs that could originate from behind that interface. The Anti-spoofing defaults to blocking all IPs that you don't define as being in the topology.

An example would be, you have a DMZ of 10.1.1.1. A computer is infected and wants to serve malicious code out to unsuspecting victims, that computer sends out packets saying "I'm Google, here's your malicious webpage". What Anti-Spoofing will do is say, Google aka 192.168.1.1 doesn't exist on this interface so I won't allow this traffic to pass, thus saving the victim from being infected. Now you're the hero.

HTH

[plymouth]

What is happening in the case of every other packet being dropped for suspected spoofing?
My topology is similar to the many describe on the this topic. A segment one hop removed from my R55 cluster.
A host in that segment is pinging a host behind an R61 adjacent to my R55.

An icmp packet is accepted and passed through to the destination.
The next icmp paket, same source and destination, is dropped for suspected spoofing.

These spoofing errors only occur on the R55 cluster.

The requisite topology configurations appear to be in order.

How is this resolved?

[MarioL]

By default "anti-spoofing" tends to be configured as the subnet behind the interface. If you have several subnets there, you should create all of them as network objects, then create a group and add them all in, and finally add that in the interface anti-spoofing (using "specific").

This way the firewall "knows" that all those subnets are connected there and stops blocking the traffic.

To add to what melipla already said, another very important reason why you WILL want anti-spoofing configured is so that I can't sent a packet with the source IP as one of your own internal networks and get it to be accepted by the policy because of your rules. Even if the replies would be routed in, this would allow blind attacks, DoS, etc...