In some email I received from Andrew Brown, sie wrote:
> >Looking at the top 10 old PR's which have not been closed, 991 (one that
> >I'm responsible for :) is now there...and I think it is well past the
> >time when it should be delt with (there's been enough discussion about
> >it both in GNATS and here :)
> >
> >The patch below introduces net.inet.ip.strictdest and I've set it up to
> >default to the value of 1 - i.e. to enforce IP#'s to match interfaces.
> 
> i think the concensus the last time this went around was that this
> could be done by people that wanted via ipfilter.  a script (perl or
> sh, i guess) should be able to generate the rules required for this
> rather easily.

All IP Filter does is control the flow of packets - this sysctl controls
whether or not the host recognises a packet as being for itself.  You can
shore up support to in effect restrict packet flow to be that which matches
the behaviour of the sysctl variable but that is still not the same.  There
is a subtle, but I think significant, difference.

> on the other hand...now that i have your attention, is "operator
> intelligence" the only protection against something like
> 
>    pass in quick on lo0 to lo0 from any to any
> 
> ???  i just tried it to see if it would lock up the machine.  and how!

Hmmm.  I think the answer to this is "yes".

Darren