FWIW, I think there are other things which should be sysctl's in the
TCP/IP code which are much more useful than net.inet.tcp.log_refused.
How about controls for changing how much memory can be used to hold
fragments so that protection against denial of service attacks using
large numbers of fragments is neutered ?

Personally, I regard having a special kernel mod to do this as a joke
although I can understand why someone would think it as appropriate
and unless you're running on a Gigabit ethernet with a 386, do not
see any value in arguing IP Filter is "too heavy" for the job.  If you
were really concerned about speed, you'd use another box to snoop the
traffic going to that one and strip it down to be a router only.

Darren