How actually do attackers penetrate firewalls? I have read that some may spoof the sending ip address. But doesn't a stateful firewall keep track of sequence numbers? Or does the attacker machine gun it and try all the sequence numbers? So I have made a firewall rule on my PIX external interface to deny sender addresses bearing an internal ip. But not being a pen tester, I still don't quite understand how an attack works.
Here are some references: Pp. 18-22 of "Comparative Firewall Study" - pdf at hxxp://monarch.qucosa.de/fileadmin/data/qucosa/documents/4892/data/firewall_study.pdf "Type of Attacks" - pdf at hxxps://www.dsci.in/sites/default/files/Type%20of%20Attacks_DSCI_White%20Paper_1.pdf - contains more than just firewall attacks "What Do Firewalls Protect? An Empirical Study of Firewalls, Vulnerabilities, and Attacks" - pdf at hxxp://www.cs.ucdavis.edu/research/tech-reports/2010/CSE-2010-8.pdf Papers on inbound tests and other non-leak tests of firewalls
Some outdated but a good source for firewall info. https://www.wilderssecurity.com/showthread.php?t=24415