From owner-freebsd-pf@FreeBSD.ORG  Mon Jul 17 06:04:02 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 777EE16A4DF;
	Mon, 17 Jul 2006 06:04:02 +0000 (UTC)
	(envelope-from avalon@caligula.anu.edu.au)
Received: from caligula.anu.edu.au (caligula.anu.edu.au [150.203.224.42])
	by mx1.FreeBSD.org (Postfix) with ESMTP id D46C143D45;
	Mon, 17 Jul 2006 06:04:01 +0000 (GMT)
	(envelope-from avalon@caligula.anu.edu.au)
Received: from caligula.anu.edu.au (localhost [127.0.0.1])
	by caligula.anu.edu.au (8.13.6/8.13.6) with ESMTP id k6H63pbT017633;
	Mon, 17 Jul 2006 16:03:51 +1000 (EST)
Received: (from avalon@localhost)
	by caligula.anu.edu.au (8.13.6/8.13.6/Submit) id k6H63lgD017631;
	Mon, 17 Jul 2006 16:03:47 +1000 (EST)
From: Darren Reed <avalon@caligula.anu.edu.au>
Message-Id: <200607170603.k6H63lgD017631@caligula.anu.edu.au>
To: daniel@benzedrine.cx (Daniel Hartmeier)
Date: Mon, 17 Jul 2006 16:03:47 +1000 (Australia/ACT)
In-Reply-To: <20060716214456.GE3240@insomnia.benzedrine.cx> from "Daniel
	Hartmeier" at Jul 16, 2006 11:44:56 PM
X-Mailer: ELM [version 2.5 PL1]
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Cc: Dag-Erling =?iso-8859-1?Q?Sm=F8rgrav?= <des@des.no>, freebsd-pf@freebsd.org,
	freebsd-security@freebsd.org
Subject: Re: Any ongoing effort to port /etc/rc.d/pf_boot,
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Jul 2006 06:04:02 -0000

In some mail from Daniel Hartmeier, sie said:
...
> I'm not sure the average user _really_ is worried enough about that
> half a second period on boot. But I DO know there will be people locking
> themselves out from far-away remote hosts (on updates, for instance) if
> this becomes the default.

For me this has always been the over riding reason to have IPFilter
always default (as shipped) to default allow.  There are just too
many things that can go wrong that can lead to no access to a system.

That said, I believe NetBSD (and FreeBSD?) have this:

options IPFILTER_DEFAULT_BLOCK

You might want to do something similar for pf to make this easier
for those who (think they) now what they're doing.

Darren