Appreciate the quick response jggimi. I've got the antispoof rules up like you suggested and have tried several other variants but I have yet to find one that will be able to antispoof an established connection. These spoofs are from connections established from the web browser. Someone has been able to get a hold of my ip and port of established web connections and inject attacks. An example:
Code:
(http_inspect) DOUBLE DECODING ATTACK 2009-02-27 07:59:07 192.168.xxx.yy:52493 208.43.92.218:80
The ip's are getting nat'd that's why the a 192.168.xxx.yy:52493 and are getting sent directly to the LAN computer. So (I'm guessing), to firewall it looks like an ordinary packet on an established connection. Here's the antispoof rules I'm using:
Code:
antispoof log for { lo0 $WAN_NIC $LAN_NIC }
block out log quick on $WAN_NIC from ! $WAN_NIC to any
So I thought I might have to take a new route with stateful tracking. ? Any thoughts on how I might be able to antispoof these ips? If not I'd really like to be able to slow them down.