>> There was a time (a very long time ago) when upgrading the kernel would
>> have broken existing setups if the default would have been "block all".
>> IIRC ipf itself changed the default.
>
>Doesn't that tend to happen now, every time ipf gets updated.

only if you upgrade your kernel and not the corresponding userland
tools.  that's trivial to do; i do it all the time, and mostly
remotely.

>Or has someone managed to get the code to use ioctl requests
>and versioning so that the new utils can load an old kernel?
>(and coding for binary compatibility so that a new kernel
>can be loaded with the old rules by the old utils.)

there's a bit more to it than that, i think, but i haven't looked
recently enough for the memory of it to be fresh enough in my head.

>> Think of sites without any ipf rules (ipf is in GENERIC).
>
>I was thinking that ipf could load a 'pass all' ruleset from
>the rc script 'as shipped'.  But once configured that would
>no longer happen.

it also prevents some remote diagnostics from working.  something like
ping can tell you that the machine got as far as setting up the
network, but if ipf defaults to dropping all packets, you can't even
tell that.

-- 
|-----< "CODE WARRIOR" >-----|
codewarrior@daemon.org             * "ah!  i see you have the internet
twofsonet@graffiti.com (Andrew Brown)                that goes *ping*!"
werdna@squooshy.com       * "information is power -- share the wealth."