On Thu, Aug 11, 2005 at 07:28:59PM +0200, Peter Postma wrote:
> On Thu, Aug 11, 2005 at 07:12:43PM +0200, Lubomir Sedlacik wrote:
> > On Thu, Aug 11, 2005 at 07:07:10PM +0200, Peter Postma wrote:
> > > So, we should start pf after the network is up, then everything should
> > > be fine. Please try the attached patch.
> > 
> > that's fundamentally wrong approach, though.  starting packet filter
> > after the network is up leaves window for possible attacks from the
> > network.
> > 
> 
> Which is perhaps ~ 1 or 2 seconds and even then there are no networked
> daemons up. I think this is a bit exaggerated to take into account.

It's a problem if the box is acting as a stateless filtering router.

-- 
Manuel Bouyer <bouyer@antioche.eu.org>
     NetBSD: 26 ans d'experience feront toujours la difference
--