We've been using Net/FreeBSD as firewall boxes here, disabling
IP forwarding and gateway options. A quick test revealed that if packets
with IP options set to loose source route flow, they still transit in
the kernel following the explicit route.

Locally the firewall expert has #ifdef'd this out, but theres an idea
floating around the hosts requirements or related docs may obligate
leaving lsr enabled.

Anybody have any idea what NetBSD maybe should do by default? Seems to
me that disabling forwarding doesn't neccessarily imply no packet transit
through the kernel, and that a distinct option in the kernel config might
be wanted to make a box into a firewall.

-George