Hi CISCO :-) I know this isn't their list, but since most major network providers run their stuff, this is as good a place as any to talk about this. How about an interface keyword such as "auto-inbound-filter", which does this: At STARTUP and when the LOCAL route table changes (ie: "ip route xxx..." statements) the system looks at the interfaces, and the local static routes, and builds an accept list for that interface. The list is stored in a "reserved" set of system access lists. Add a parmaeter which can be turned on (ie: log) which would add "log" to the end of the filter lists, so that anyone TRYING to smurf will get logged This would totally automate the process of inbound filtering to prevent or severely limit smurf attacks. Since filters which are based only on the source address are relatively cheap for the router to process, this would likely not seriously burden anyone in their direct connections. I'd love to see something like this, and it would reduce the complaint that its "too hard to manage" such things. -- -- Karl Denninger (karl@MCS.Net)| MCSNet - Serving Chicagoland and Wisconsin http://www.mcs.net/ | T1's from $600 monthly to FULL DS-3 Service | NEW! K56Flex support on ALL modems Voice: [+1 312 803-MCS1 x219]| EXCLUSIVE NEW FEATURE ON ALL PERSONAL ACCOUNTS Fax: [+1 312 803-4929] | *SPAMBLOCK* Technology now included at no cost