In message <v6208uxmvq.fsf@kechara.flame.org>Michael Graff writes
>"Perry E. Metzger" <perry@piermont.com> writes:
>
>> > Having to explicitly turn ip_filter *on* is a bug, in some environments.
>> 
>> Indeed. You don't want packets to leak during bootup.
>
>Can you turn it on before the interfaces are configured?  If so,
>that seems like a workable solution.

Not really, no.  Yes, ip_fil on a firewall can be made to work
that way, if configured correctly.

But the behavior of the old and `fixed' versions in the face of
configuration errors; or booting single-user and "accidentally'
bringing up interfaces without enabling filtering; or when upgrading
kernels on the firewall, etc, is...  different.

>From a security perspective, that difference really does matter.
Perry and I have quite different views on security but on this we seem
to agree, at least in part.