diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c
index 6185db0f0705..af06486163d6 100644
--- a/sys/netinet/ip_output.c
+++ b/sys/netinet/ip_output.c
@@ -422,9 +422,19 @@ ip_output(m0, opt, ro, flags, imo)
 			goto bad;
 	}
 
+	/* 127/8 must not appear on wire - RFC1122. */
+	if ((ntohl(ip->ip_dst.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET ||
+	    (ntohl(ip->ip_src.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET) {
+		if ((ifp->if_flags & IFF_LOOPBACK) == 0) {
+			ipstat.ips_badaddr++;
+			error = EADDRNOTAVAIL;
+			goto bad;
+		}
+	}
+
 	/*
 	 * Look for broadcast address and
-	 * and verify user is allowed to send
+	 * verify user is allowed to send
 	 * such a packet.
 	 */
 	if (isbroadcast) {