Jason Thorpe <thorpej@nas.nasa.gov> writes:

>On Tue, 01 Apr 1997 17:07:56 -0800 
> Jonathan Stone <jonathan@DSG.Stanford.EDU> wrote:
>
> > Executive summary:
> > 
> > The [sic] fix in NetBSD's ip_fil is perceived by security-weenies
> > as a security flaw.
> > 
> > So, how about this: we add a hook to ip_fil'sn pseudo-device attach
> > routine, to turn on filtering, so those that rely on the old semantics
> > get it by default; and we add a config option that turns off that
> > call, so those who need to configure fail-open can do so.
>
>
>>So, your "old semantics" argument isn't even really valid, given
>>how it actually worked.
>
t's how it  worked in ip_fil 2.8.2 through 3.1.whatever.
'm still running a couple of pre-integration versions.


>What you can do, however, to get the semantics you want, is to put:
>
>        /sbin/ipf -E
>
>first in /etc/rc.


No, that's **not** the semantics I want.  Do you really not see the
difference?