>> >Why not just enable each of the above and control it through packet
>> >filter lists in IP Filter ?
>> 
>> yeah...but then the "generic" solution is replaced by a different set
>> of filter rules for *everyone*
>
>This is an option. This isn't required. You don't have to activate the 
>sysctl. Do you have a problem with people who want a particular piece
>of code that doesn't impact you having that code?

i know it's an option.  we've clashed over options before.  :)

all i was saying is that somewhere...there might exist someone
(perhaps some corporate mis weenie who knows almost nothing about next
to everything but wants "security" with quotes) who wants a
strong-ended system but is not qualified (or even competent enough) to
compile the ipf stuff into his or her kernel, let alone write the
necessary filter rules to effect such a system.  having little
switches and dials and knobs makes things like this easier for end
users.

imho, if the answer has to be "let's drop this silly discussion
because you can use ipf to do it", then the answer is also to forget
about the pkg stuff, since everyone should be able to download and
compile everything themselves, which (in the extreme) extends to "who
needs operating systems that interoperate, since it only makes it
easier for people to get their work done.  they have to work anyway:
work them like dogs."

-- 
|-----< "CODE WARRIOR" >-----|
codewarrior@daemon.org             * "ah!  i see you have the internet
twofsonet@graffiti.com (Andrew Brown)                that goes *ping*!"
andrew@crossbar.com       * "information is power -- share the wealth."