> How hard would it be to modify tcpwraper (for example) to check the > incomming MAC address on a connection and to be worried if it came from a > list of routers but the address was the local net? This breaks people who might have their netmasks set incorrectly on the local net.