-----BEGIN PGP SIGNED MESSAGE-----


  I worked out the problems with the filters by putting
	sysctl -w net.inet.ip.forwarding=0

  at the top of /etc/netstart, and reenabled ipforwarding
after installing my filters. I'd like to see the kernel boot with all
forwarding off, and block all if ipfiltering is configured. If you
want to pass things, you can do "ipf -D"
  If you built with IP filtering, then you probably wanted
filtering... 

  I'm still having troubles getting DNS *responses* in that aren't to
port 53. I had expected the syntax to include definitions for source
and destination ports. I've asked that question on the filtering list.

   :!mcr!:            |  Network security consulting and 
   Michael Richardson |      contract programming
 WWW: mcr@sandelman.ottawa.on.ca. PGP key available.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface

iQB1AwUBM0Hg66ZpLyXYhL+BAQGmdwMAwgSIXpzfgxxSuVhPyoVgrrc6qvWBNv90
4NQG4iQz9BCyr7RLWI9izeMflLI7AbWbyHRd7MJt0YcOAHHpPjxMCaX5wDq8gAVl
1OznASy9+5+iB2FWqQTIEvnfZ8XTq8sp
=M3Kw
-----END PGP SIGNATURE-----