the default redhat 6.2 kernel (tested on i386) accepts source routed frames. this is bad from a security standpoint because source routed frames are sometimes used by attackers to evade detection or hide their identity and location. the best practice is to drop source routed frames at the border (on the routers and firewalls) and the hosts as well. the offending variables live in: /proc/sys/net/ipv4/conf/eth0/accept_source_route /proc/sys/net/ipv4/conf/default/accept_source_route these values should be sysctl'd to 0 to drop source routed frames.
Agreed that firewall scripts should turn this off, but this isn't a bug in the configuration.