I would suggest an optionally enabled feature in the firewall filtering for routers that:
1. Looks at the routing table.
2. Discards the default route(s) from it's read-only observation of the routing table, (or routes that use a specified upstream interface.)
3. Builds a firewall ruleset where packets not having source addresses in those IP ranges found in the routing table are discarded or handled by a user specified option.
4. Maintains the correlation between routing table and firewall.

This feature could then be applied to an interface, and it would stop all spoofing very easily and automatically.

It has long been a good security practice to not let packet pass through routers when you know they don't come or don't look like they come from your own network. (Unless you are an upstream BGP player, then there are BGP Filters for that). However, I have a big network with lots of MTs and lots of IP ranges and am always adding IP ranges, changing things, etc.. and it is not practical to manually create rules like this that block forged packets or illegitimate packet sources. I was recently reminded I should be doing more firewalling of this nature after seeing how the v3.2 snmp exploit's source forging works so well and easily.

On other platforms the same has been implemented by doing a route lookup on source address and comparing packet in-interface with route out-interface.
I too want to see such a feature. 1 rule to end all locally spoofing. It would be awesome!

I would none-the-less LOVE to implement something like this for our PPPoE clients and the interfaces that serve DHCP to our CPEs

i was working on a script and address-list to do this, if i ever finish it i will post it.

i was working on a script and address-list to do this, if i ever finish it i will post it.

hi changeip your script its really important please post it