Randy Bush said: > for each interface on a router > block tcp which is both to and from that interface I don't think that's sufficient. What about spoofed packets arriving via interface A, with IP source and destination both set to the address of interface B? --apb (Alan Barrett)