In some email I received from Jonathan Stone, sie wrote:
[...]
> Accidents and smiconfigurations do happen. An earlier incarnation of
> this debate happened the same day that a major Internet vendor
> accidentally goofed and a gaping hole in their firewall.  I am not
> making this up.  So I want the default configuration to be as safe as
> possible.  A default of `No firewall at all' just doesn't cut it for me.

Just to add some more thoughts to this, if the box running ipfilter crashs,
corrupting /etc/ipf.conf and/of ipf, you're left vulnerable.  Will this
happen you ask.  More likely than the kernel becoming corrupted, at least
in my expereience with ipfilter.

[...]
> >From a security standpoint, being less secure is a misfeature, a _bug_.
> 
> >        (2) The previous default rule when ipfilter was enabled was
> >            "all pass"
> 
> No, it wasn't, not in the versions I've been using.

Up until very recently, the behaviour was to not match (i.e. block) all
packets.  This changed because it was causing more problems...although
I am thinking I should revert to the old behaviour, having read your and
Matt's comments (I'm a security weenie so of course that's my primary
concern).

This is configurable, but I'm thinking it should say something about the
default "rule" being used when it initialises itself.

I guess there are two schools of thought here on whether or not it should
be "on" by default.

Being an LKM aside (this is mainly a development aide), I could argue that
it isn't just "another feature" but really meant to be an integrated part
of IP in the kernel.  The only reason it should be "viewed" as a runtime
feature is because it has been developed by a 3rd party.