Manuel Bouyer <bouyer@antioche.eu.org> writes:
>>  In addition to the possibility of a sysctl for the behavior, here is
>>  another idea: perhaps if you no longer have the origination address
>>  bound to any interface, you drop the packets you would otherwise send
>>  out from earlier connections rather than sending them out on an actual
>>  network. Then, if you get the address back, you can stop dropping
>>  them. This surely will cause no one any inconvenience, since those
>>  packets could never be replied to. It will not, however, be an optimal
>>  solution from my point of view...
>
> If your problem is that the system sends packets that could be seen as
> spoofed, then yes it's an acceptable solution.

That is one problem. The bigger problem is processes that don't know
that they should be doing something to re-open a socket because their
original connection is no longer actually real.

Perry