>  Jonathan Stone <jonathan@DSG.Stanford.EDU> wrote:
> 
>  > Oh. good point.   What are those uses -- are they security-related?
>  > Does changing the rule-filter default state break ipfilter for those uses?

and Jason R. Thorpe answered:
> ...NAT and passive logging come to mind.  Think of cases where the machine
> is on a _wide open_ network, just collecting data about what sort
> of traffic is on the wire...

And this makes things complicated!

I wholeheartedly aggree with Dareen and Jonathan while talking about
security. I disagree when looking at generic kernels in distribution:

I would argue we could well live without ipfilter in a generic kernel, since
Joe Average User won't need it for security, and if, he would  probably
customize his kernel anyway.

BUT: Joe Average User probably will run NAT - at least here in Germany it
makes a big $$$$ difference whether I order one dynamically assigned IP from
my provider or a subnet with complete routing and name resolving. So to let
my NetBSD box sup -current while I'm surfing using Internet Explorer on the
NT box, I'll need NAT.


Martin