Amadeus Stevenson wrote:
> -ipfilter block all default, allow in www with keep state

If you expect many connections and "keep state", be sure that the state 
table is big enough then. See IPSTATE_SIZE and IPSTATE_MAX in ip_state.h.

> Is there anything else you could do? Password rotation? What would you
> do if you had to run, say, a security-critical (eg. a bank or paypal)
> system?

If you are really paranoid:
# sysctl -w net.inet.ip.random_id=1

But increases CPU overhead, of course.


Regards

Felix