Subject: Re: New IP filter code
To: Jonathan Stone <jonathan@DSG.Stanford.EDU>
From: Bernd Ernesti <netbsd@arresum.inka.de>
List: tech-net
Date: 04/02/1997 10:24:03
On Wed Apr  2 03:25:53 1997, Jonathan Stone wrote:
> 
> In message <v6208uxmvq.fsf@kechara.flame.org>Michael Graff writes
> >"Perry E. Metzger" <perry@piermont.com> writes:
> >
> >> > Having to explicitly turn ip_filter *on* is a bug, in some environments.
> >> 
> >> Indeed. You don't want packets to leak during bootup.
> >
> >Can you turn it on before the interfaces are configured?  If so,
> >that seems like a workable solution.

You can that, i made the change to /etc/netstart to enable it again.

> Not really, no.  Yes, ip_fil on a firewall can be made to work
> that way, if configured correctly.
> 
> But the behavior of the old and `fixed' versions in the face of
> configuration errors; or booting single-user and "accidentally'
> bringing up interfaces without enabling filtering; or when upgrading
> kernels on the firewall, etc, is...  different.

We can't fix all problems with comes from humans.

Btw, why don't you use IPF_DEFAULT_PASS ? Thats all what you wanted.

Bernd