Subject: Re: HEADS UP: IPFilter upgraded to 3.4.29
To: David Laight <>
From: Andrew Brown <>
List: current-users
Date: 09/19/2002 11:59:19
>> >> IP Filter: v3.4.29 initialized.  Default = pass all, Logging = enabled
>> >
>> >Why is the default 'pass all' on NetBSD?
>> because that's typically more convenient.
>Only as an initial default, there are MUCH better ways to do that.

you can change it, if you like, when you build your kernel.

>> that way if the filters don't load, you can log in and fix it.
>Only if you realise they haven't loaded.....

it should be easy enough to have the system detect that and notify

>> >If you want a cleanly installed system to have a open network
>> >interface, it would surely be better to make the rc script load
>> >default filters from a file that does 'pass all'.
>> and if nothing can actually load filters?  wouldn't you rather be able
>> to log in and attempt to fix it?
>No!  because the system is wide open to ever hacker until you notice it.

then you'd rather have a system you can't fix remotely.  that's fine
for you perhaps, but i'm not like that.

>> >A sysctl to turn the filters off might be useful as a 'get out of jail
>> >free' card.
>> ipf -D
>Doesn't work if ipf wont run...
>(Which is the state my system was in for a few days)

if you're in that state, you shouldn't be using the machine in
production.  that's indicative of an incomplete upgrade.

|-----< "CODE WARRIOR" >-----|             * "ah!  i see you have the internet (Andrew Brown)                that goes *ping*!"       * "information is power -- share the wealth."