>> ep0 should not be a "strong host" interface (at least according to my
>> understanding of the definition that's evolved here), but instead a
>> "strong router" interface.  and the stuff that you want to block
>> should probably be filtered...
>> 
>> ...oh wait.  you're using a cable modem with nat, right?
>
>Close. I'm using a cable modem with a tunnelled subnet or two.  But
>the bottom line is the same -- I want to *look* like a single host to
>the immediately connected upstream network.

then...(a) your upstream provider thinks you're a single host and only
routes to you a single address?  and (b) you don't want any packets
leaking out?  still seems like filtering to me...or at least another
application of the already established "strong host" model (as far as
remote input is concerned).

-- 
|-----< "CODE WARRIOR" >-----|
codewarrior@daemon.org             * "ah!  i see you have the internet
twofsonet@graffiti.com (Andrew Brown)                that goes *ping*!"
andrew@crossbar.com       * "information is power -- share the wealth."