Rich Brown writes: > - I have added a BCP38 page to give an overview of that page. A > question that I haven't seen addressed in the commentary on the list: > Does this BCP38 implement also filter out spoofed source addresses? (I > imagine it would, but the pages don't specifically say so.) It blocks the configured subnets: - at ingress on one - at egrees on destination. I.e. a packet arriving on the WAN interface *from* one of the configured subnets or a packet departing the WAN interface *towards* one of the configured subnets will get dropped. You could presumably still send a packet from the inside with a spoofed source address, but that source address would then get rewritten by the NAT filter... -Toke