>> I have just upgraded IPFilter to the latest version (3.4.29) on
>> NetBSD -current. You must recompile kernel and the ipf tools to
>> use the new version:
>> 
>> # (cd /usr/src/sys && make includes)
>> # (cd /usr/src/usr.sbin/ipf && make dependall install)
>> 
>> After reboot you should see this message:
>> 
>> IP Filter: v3.4.29 initialized.  Default = pass all, Logging = enabled
>
>Why is the default 'pass all' on NetBSD?

because that's typically more convenient.  that way if the filters
don't load, you can log in and fix it.  as opposed to having the
filters not load that would let you in so you could fix it.

if you don't like it, you can always add

	options 	IPFILTER_DEFAULT_BLOCK

to your kernel config.  finding that took less than two minutes
digging through the source.  you should try it.

>It is rather dangerous, and can easily lead to a wide open system if,
>for example, a bug in libkvm [1] stops the filters being loaded.

bugs is bugs.

>If you want a cleanly installed system to have a open network
>interface, it would surely be better to make the rc script load
>default filters from a file that does 'pass all'.

and if nothing can actually load filters?  wouldn't you rather be able
to log in and attempt to fix it?

>A sysctl to turn the filters off might be useful as a 'get out of jail
>free' card.

ipf -D

-- 
|-----< "CODE WARRIOR" >-----|
codewarrior@daemon.org             * "ah!  i see you have the internet
twofsonet@graffiti.com (Andrew Brown)                that goes *ping*!"
werdna@squooshy.com       * "information is power -- share the wealth."