>> >> IP Filter: v3.4.29 initialized.  Default = pass all, Logging = enabled
>> >
>> >Why is the default 'pass all' on NetBSD?
>> 
>> because that's typically more convenient.
>
>Only as an initial default, there are MUCH better ways to do that.

you can change it, if you like, when you build your kernel.

>> that way if the filters don't load, you can log in and fix it.
>
>Only if you realise they haven't loaded.....

it should be easy enough to have the system detect that and notify
you.

>> >If you want a cleanly installed system to have a open network
>> >interface, it would surely be better to make the rc script load
>> >default filters from a file that does 'pass all'.
>> 
>> and if nothing can actually load filters?  wouldn't you rather be able
>> to log in and attempt to fix it?
>
>No!  because the system is wide open to ever hacker until you notice it.

then you'd rather have a system you can't fix remotely.  that's fine
for you perhaps, but i'm not like that.

>> >A sysctl to turn the filters off might be useful as a 'get out of jail
>> >free' card.
>> 
>> ipf -D
>
>Doesn't work if ipf wont run...
>(Which is the state my system was in for a few days)

if you're in that state, you shouldn't be using the machine in
production.  that's indicative of an incomplete upgrade.

-- 
|-----< "CODE WARRIOR" >-----|
codewarrior@daemon.org             * "ah!  i see you have the internet
twofsonet@graffiti.com (Andrew Brown)                that goes *ping*!"
werdna@squooshy.com       * "information is power -- share the wealth."