>  > Simply remove options IPFORWARDING and options GATEWAY from the config file.
> 
> That doesn't disable source routes.

Well, _MY_ preferred solution is to enable GATEWAY and install Firewall'95,
yet another NetBSD packet filter.  I call it Firewall'95 because I told
some people it would be ready in January. :-)

Firewall'95 will do the following:

- Block source routes
- Block detectable source address spoofs
- Filter based on source addr, dest. addr, source/dest ports, protocol.
  Addresses can have arbitrary binary masks; ports can be specified by
  a range.
- Upon being matched by a filter rule, a packet can be let through,
  blocked, or blocked with ICMP port unreachable message.
- Independent of all that, packets matching rules can also be logged.
  You can log both rejections and stuff you let through.
- TCP filter rules are direction sensitive.
- Everything controlled by binary filter table copied to /dev/firewall.
  Compiler and decompiler software included.

Firewall'95 has been protecting the Toronto Free-Net for almost a year now.
That's over 100 users' worth of telnet, email, news and WWW traffic, 24
hours a day.

I don't have the source archived for distribution yet; it's still in the
final stages of testing.  If you want to help me test...

-- 
David Jones, M.A.Sc student, Electronics Group (VLSI), University of Toronto
           email: dej@eecg.toronto.edu, finger for PGP public key
         For a good time, telnet torfree.net and log in as `guest'.
          Click me!