>    Erik> If you're not a router (IPFORWARDING=0), then the strict
>    
>    && IPFILTER==0
>
>    Erik> destination code should be on, and packets that came in from the
>    Erik> wrong interface should be rejected.
>
>  If I'm a firewall, then I have IPFORWARDWING on, since I want to forward.
>But, I still want strict address checking, since it makes my rules a lot
>simpler.

if you're a firewall, you should have ipforwarding off and you should
be proxying services.  if you're forwarding packets, you're *NOT* a
firewall.

if you're a packet filtering router, then you have forwarding on, and
this code doesn't help you, since you can expect to be receiving many
packets on many interfaces with destination addresses that aren't
yours.

-- 
|-----< "CODE WARRIOR" >-----|
codewarrior@daemon.org             * "ah!  i see you have the internet
twofsonet@graffiti.com (Andrew Brown)                that goes *ping*!"
andrew@crossbar.com       * "information is power -- share the wealth."