In some email I received from Michael Graff, sie wrote:
> 
> "Perry E. Metzger" <perry@piermont.com> writes:
> 
> > > Having to explicitly turn ip_filter *on* is a bug, in some environments.
> > 
> > Indeed. You don't want packets to leak during bootup.
> 
> Can you turn it on before the interfaces are configured?  If so,
> that seems like a workable solution.

WARNING: IP Filter rules for interfaces won't work if the interface isn't
yet defined (but they will load).  If I knew at which point things were added
to the ifnet list, then I could say for sure.

To be safe, I'd ifconfig the interfaces (but NOT up), load rules with IPfilter
enabled and then UP the interfaces.

Darren