Date: Mon, 17 Jul 2006 16:03:47 +1000 (Australia/ACT) From: Darren Reed <avalon@caligula.anu.edu.au> To: daniel@benzedrine.cx (Daniel Hartmeier) Cc: Dag-Erling =?iso-8859-1?Q?Sm=F8rgrav?= <des@des.no>, freebsd-pf@freebsd.org, Ari Suutari <ari@suutari.iki.fi>, freebsd-security@freebsd.org Subject: Re: Any ongoing effort to port /etc/rc.d/pf_boot, Message-ID: <200607170603.k6H63lgD017631@caligula.anu.edu.au> In-Reply-To: <20060716214456.GE3240@insomnia.benzedrine.cx> from "Daniel Hartmeier" at Jul 16, 2006 11:44:56 PM
next in thread | previous in thread | raw e-mail | index | archive | help
In some mail from Daniel Hartmeier, sie said: ... > I'm not sure the average user _really_ is worried enough about that > half a second period on boot. But I DO know there will be people locking > themselves out from far-away remote hosts (on updates, for instance) if > this becomes the default. For me this has always been the over riding reason to have IPFilter always default (as shipped) to default allow. There are just too many things that can go wrong that can lead to no access to a system. That said, I believe NetBSD (and FreeBSD?) have this: options IPFILTER_DEFAULT_BLOCK You might want to do something similar for pf to make this easier for those who (think they) now what they're doing. Darren
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200607170603.k6H63lgD017631>