>> fwiw - i also find that with default pass and only "log" (ie, no
>> "pass", "block", or "count" lines) lines in my ipf.conf, my machine
>> becomes unreachable.  is perhaps the "log" action short for "block
>> log"?
>
>Not quite.  But if you do:
>
>log in blah
>
>then it's not a "pass" so how can it be pass'd ?  I do recall there being
>a bug related to that which got fixed in 3.3.

based on this paragraph

       log    causes the packet to be logged (as described in the
              LOGGING section below) and has no effect on whether
              the packet will be allowed through the filter.

i assumed (wrongly, i guess) that log lines were similar to count
lines and that the default pass would still allow all packets through.

similarly, "count" is not a "pass", but it does.  :)

-- 
|-----< "CODE WARRIOR" >-----|
codewarrior@daemon.org             * "ah!  i see you have the internet
twofsonet@graffiti.com (Andrew Brown)                that goes *ping*!"
andrew@crossbar.com       * "information is power -- share the wealth."