> configuring ipf to block all services invisibly on the outside
> interface(s) is both error-prone and subject to both race conditions

Is it possible to eliminate the race condition by swapping filters as such:

	ipf -I -F a -f /etc/ipf.conf
	ipf -I -6   -f /etc/ipf-v6.conf
	ipf -s

Or does the "ipf -s" have a small race condition of its own?  If so,
I'm going to have to rethink how I reload filters. (eg. perhaps something
along the lines of ifconfig down, reload, ifconfig up)

-wolfgang
-- 
       Wolfgang Rupprecht <wolfgang+gnus@dailyplanet.wsrcc.com>
		    http://www.wsrcc.com/wolfgang/
Coming soon: GPS mapping tools for Open Systems. http://www.gnomad-mapping.com/