Subject: Re: HEADS UP: IPFilter upgraded to 3.4.29
From: David Laight <email@example.com>
Date: 09/19/2002 11:54:17
On Thu, Sep 19, 2002 at 11:24:09AM +0300, Martti Kuparinen wrote:
> I have just upgraded IPFilter to the latest version (3.4.29) on
> NetBSD -current. You must recompile kernel and the ipf tools to
> use the new version:
> # (cd /usr/src/sys && make includes)
> # (cd /usr/src/usr.sbin/ipf && make dependall install)
> After reboot you should see this message:
> IP Filter: v3.4.29 initialized. Default = pass all, Logging = enabled
Why is the default 'pass all' on NetBSD?
It is rather dangerous, and can easily lead to a wide open system if,
for example, a bug in libkvm  stops the filters being loaded.
If you want a cleanly installed system to have a open network
interface, it would surely be better to make the rc script load
default filters from a file that does 'pass all'.
A sysctl to turn the filters off might be useful as a 'get out of jail
 ask Christos :-)
David Laight: firstname.lastname@example.org