>>> how about an (additional) ipf rule during bootstrap?
>> [...]
> my point is, once you implement tcp_silent_refused, you will want to
> do this for udp, and then for other protocols.  i don't think it
> worthwhile to do this in per-protocol hack basis.

I'd agree; I'd use one variable and call it something like
net.inet.refusals.

> [...ipf...] i'm suggesting to run something like below in your
> /etc/rc suite:
> 	1. install deny-all-outgoing ipf rules
> 	2. configure interfaces
> 	3. run daemons
> 	4. remove deny-all-outgoing ipf rules

Well, I know *I*'m not willing to carry all the ipf baggage around just
for this one effect; I have no use whatever for ipf on most of my
machines, and on the one gateway machine, I don't think it can do what
I need anyway - it couldn't when I looked back when I was setting
things up.  (If I wanted this effect and didn't feel like bothering
hacking in a sysctl variable for it, I'd probably just ifconfig bpfonly
to block stuff and -bpfonly when ready.  Of course, that presupposes
the bpfonly interface flag; as far as I know that's still one of my
private patches.  It allows the interface to receive for bpf purposes
but not for any other, by returning early out of ether_input - of
course, this does mean it works only for Ethernets; similar tweaks
could easily be done elsewhere.  As with the rest of my patches, I'm
happy to send out copies.)

/~\ The ASCII				der Mouse
\ / Ribbon Campaign
 X  Against HTML	       mouse@rodents.montreal.qc.ca
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B