Todd Vierling writes:
> Then why not just use ipf and eliminate all of the workarounds of
> workarounds?
> 
> pass in quick on ne0 from any to 1.2.3.4
> block in quick on ne0 all
> pass in quick on ne1 from any to 4.3.2.1
> block in quick on ne1 all
> 
> And we're done.  (Did I miss something?)

What about non unicast packets?

Given ne0 = 1.2.3.4, ne1 = 4.3.2.1, ne2 = 2.3.4.5, you'd probably need
	block in quick on ne0 from any to 4.3.2.1/32
	block in quick on ne0 from any to 2.3.4.5/32
	block in quick on ne1 from any to 1.2.3.4/32
	block in quick on ne1 from any to 2.3.4.5/32
	block in quick on ne2 from any to 1.2.3.4/32
	block in quick on ne2 from any to 4.3.2.1/32

Which may be more scalable to:
	block in on ne0 from any to <thishost>
	block in on ne1 from any to <thishost>
	block in on ne2 from any to <thishost>
	pass in on ne0 from any to 1.2.3.4/32
	pass in on ne1 from any to 4.3.2.1/32
	pass in on ne2 from any to 2.3.4.5/32
If <thishost> maps to any address of this machine.

(Darren, please correct me here if I'm wrong)


It looks like the strongendsystem stuff is controversial enough in its
current form that I'll have to take another look (the code needs work
anyway). Possibly adding the ability to set the flag per interface
would be useful.

Note: in any case, this change was *not* going to be the default, and
was only provided for people who wanted it.