Firewall question

How actually do attackers penetrate firewalls? I have read that some may spoof the sending ip address. But doesn't a stateful firewall keep track of sequence numbers? Or does the attacker machine gun it and try all the sequence numbers? So I have made a firewall rule on my PIX external interface to deny sender addresses bearing an internal ip. But not being a pen tester, I still don't quite understand how an attack works.

 

Here are some references:

Pp. 18-22 of "Comparative Firewall Study" - pdf at hxxp://monarch.qucosa.de/fileadmin/data/qucosa/documents/4892/data/firewall_study.pdf

"Type of Attacks" - pdf at hxxps://www.dsci.in/sites/default/files/Type%20of%20Attacks_DSCI_White%20Paper_1.pdf - contains more than just firewall attacks

"What Do Firewalls Protect? An Empirical Study of Firewalls, Vulnerabilities, and Attacks" - pdf at hxxp://www.cs.ucdavis.edu/research/tech-reports/2010/CSE-2010-8.pdf

Papers on inbound tests and other non-leak tests of firewalls

 

Firewalls Explained: A Technical Overview

 

Common Network Security Misconceptions: Firewalls Exposed

 

How can attackers bypass firewalls?

 

13 ways through a firewall: What you don’t know can hurt you