Is there any reason NetBSD doesn't implement many preventative security 
features? Even FreeBSD has quite a lot imported/cloned from OpenBSD (I'm 
assuming so anyway, since that's where they'd come from), but NetBSD 
doesn't seem to have many, even those that could be implemented as 
2/3-liners portably. NetBSD has the passive security that comes from 
good code, but a little extra can't hurt.

If nobody else wants to do it, I could try my hand at porting some 
features, or at least reproducing. Browsing over FreeBSD 5.3-STABLE 
source, I'm seeing things like this...

    728         if (blackhole) {
    729             switch (blackhole) {
    730             case 1:
    731                 if (thflags & TH_SYN)
    732                     goto drop;
    733                 break;
    734             case 2:
    735                 goto drop;
    736             default:
    737                 goto drop;
    738             }

...that deserve http://thedailywtf.com/ inclusion. Clearly re-writes are 
the way here.

Is there a reason these things (blackholes, randomization of kernel 
data, etc) aren't done in NetBSD? If not, does anybody object to work 
done to bring them in to -current? I'd certainly like features like 
that, even if I have to code them myself.

At the very least, the ability to run nmap against a NetBSD machine and 
have it be completely unknown, even with plenty of open and closed ports 
available. Free and OpenBSD can do this just with a few sysctl runs, 
Linux stands no chance, but NetBSD should be up with its brothers and 
not alongside Linux.

So what does everyone think? If there are no objections, I can start 
toying about with -current to see if it's practical. I have i386 and 
sgimips to test on, but it shouldn't end up being arch dependent. This 
would certainly give admins even more reason to run NetBSD on hardened 
servers, besides the cleanliness and stability.