On some of my production systems that need to be accessible outside of the LAN I will sometimes add a firewall restriction at the edge to only permit traffic on, say, RDP from a specific origin IP address or block. Of course, the IP needs to be static (or I need to update it whenever it changes) but my question is how reliable is this as a means of preventing attackers from accessing this system? In the case of RDP (the most common) there is still username/password authentication, but is relying on these IP-based firewall restrictions a bad idea?
My thought originally was that IP spoofing is more useful in denial-of-service, when you don't really care about the packets getting back to the originator, but in terms of gaining elevated access, is it really that easy for an attacker to spoof his IP and have packets somehow routed back to his real address?