On Thu, 11 Aug 2005, Greg Troxel wrote:

> Peter Postma <peter@pointless.nl> writes:
> 
> > I think that I know what's wrong. When /etc/rc.d/pf is executed, wm0
> > doesn't have an IP address yet. So the rule parsing fails here:
> > "from any to $ext_if", $ext_if should resolve to IP address(es) but wm0
> > doesn't have an address so this fails. You'll probably see the message:
> > "no IP address found for wm0".
> 
> I have found (with ipfilter) that I wished I could write rules that
> talk about not only in and out, but 'up' and 'down', so that I could
> separate protecting the host from the router portion of the firewall.
> The lack of this has led me to write rules that block packets to 'my'
> addresses, which require addresses to be present.
> 
> There is also compiling default block into the kernel.  I suppose
> startup scripts could install a block all, bring up networks, and then
> install the real ruleset.

I also liked the default block idea in ipf very much and always compiled 
kernel with the default block. Thing is, that if you got a firewall remote 
with that block compiled AND a typo in the ruleset by accident, you won't 
be able to reach it anymore. So, yeah i like it much, the default block, 
but sometimes i did run into trouble because because of a typo or mistake 
the best remote admin tool was "the car". :-)

"What is the best remote admin tool for Windows Not Today"?
Answer: "a car". :-)

Anyway, forgive me.
Bye,

Mipam.