Geez, lets look at other sysctl's which can be replaced with IP Filter:

net.inet.ip.directed-broadcast
net.inet.ip.forwsrcrt
net.inet.ip.allowsrcrt
net.inet.ip.redirect
net.inet.ip.forwarding
net.inet.icmp.maskrepl

Why not just enable each of the above and control it through packet
filter lists in IP Filter ?

The sysctl Luke is proposing is a "simple" switch that has benefits
other than security.

Darren