I have to totally restructured firewall rules in response to yesterdays Denial of Service attack. Now all filtering is done on the incoming side of the interface cards. This prevents the hostile packets from crossing the main bus and eating CPU. Yesterdays attack consisted of a large number of small packets that exhausted CPU. These changes will address exactly this type of attack. The interface cards are intelligent and perform filtering actions without requiring the routers main processors to be involved.
It also simplified the filtering by eliminating the necessity to allow local exceptions for local machine communications between subnets.
In addition I have blocked access to all router interfaces and broadcast addresses from the outside which will prevent certain types of abuse.