On Thu, Sep 19, 2002 at 11:24:09AM +0300, Martti Kuparinen wrote:
> Hi!
> 
> I have just upgraded IPFilter to the latest version (3.4.29) on
> NetBSD -current. You must recompile kernel and the ipf tools to
> use the new version:
> 
> # (cd /usr/src/sys && make includes)
> # (cd /usr/src/usr.sbin/ipf && make dependall install)
> 
> After reboot you should see this message:
> 
> IP Filter: v3.4.29 initialized.  Default = pass all, Logging = enabled

Why is the default 'pass all' on NetBSD?
It is rather dangerous, and can easily lead to a wide open system if,
for example, a bug in libkvm [1] stops the filters being loaded.

If you want a cleanly installed system to have a open network
interface, it would surely be better to make the rc script load
default filters from a file that does 'pass all'.

A sysctl to turn the filters off might be useful as a 'get out of jail
free' card.

	David

[1] ask Christos :-)

-- 
David Laight: david@l8s.co.uk