The DoS prevention functions (not letting directed bcast in, and not letting forged addresses out) should be done at provider's side.
nope, won't work. well...it might, but you also might find very irate customers jumping up and down screaming about the filtering. the provider simply cannot know what is and what is not a broadcast address, simply because the customer gets to set up their own networks. i, for one, am using what is "technically" a broadcast address as a unicast address (think point to point). others may be doing the same. just because an address is an one end or another of a cidr block (or c or b block), doesn't mean that it's broadcast. -- |-----< "CODE WARRIOR" >-----| codewarrior@daemon.org * "ah! i see you have the internet twofsonet@graffiti.com (Andrew Brown) that goes *ping*!" andrew@crossbar.com * "information is power -- share the wealth."