Ingress and egress filtering are common filtering practices to eliminate spoofing. A source address that comes from the opposite side of the firewall than where it is assigned is obviously a spoofed address. For example, this happens when an internal LAN address appears as a source address in a packet on its way into a network from outside. This form of spoof filtering can be part of ingress filtering.

Likewise, the same process can filter for packets leaving a network. If a packet with a source address from the outside, such as an Internet address, is received by a firewall from an interface inside the private LAN, this is also a spoofed address. This form of spoof filtering can be part of egress filtering.

Ingress and egress filtering can expand beyond protection against spoofing and include a variety of investigations on inbound and outbound traffic. This can include blacklist and whitelist filtering, protocol and port blocking, and confirmation of authentication or authorization before communications continue.

Unfortunately, if a packet’s spoofed addresses do not violate any of these concerns, the spoofed addresses might not be as easy to detect. For example, if a client spoofs an IP address to look like another client in the same subnet, the rules just described to catch spoofing would fail to notice this spoofed communication. In addition to basic ingress and egress filtering, firewalls can support additional forms of packet examination and investigation.