> >> IP Filter: v3.4.29 initialized.  Default = pass all, Logging = enabled
> >
> >Why is the default 'pass all' on NetBSD?
> 
> because that's typically more convenient.

Only as an initial default, there are MUCH better ways to do that.

> that way if the filters don't load, you can log in and fix it.

Only if you realise they haven't loaded.....

>as opposed to having the
> filters not load that would let you in so you could fix it.
> 
> if you don't like it, you can always add
> 
> 	options 	IPFILTER_DEFAULT_BLOCK
> 
> to your kernel config.  finding that took less than two minutes
> digging through the source.  you should try it.

I did - I'm sure the default default was different for netbsd,
the other os all block by default.

> >If you want a cleanly installed system to have a open network
> >interface, it would surely be better to make the rc script load
> >default filters from a file that does 'pass all'.
> 
> and if nothing can actually load filters?  wouldn't you rather be able
> to log in and attempt to fix it?

No!  because the system is wide open to ever hacker until you notice it.

> >A sysctl to turn the filters off might be useful as a 'get out of jail
> >free' card.
> 
> ipf -D

Doesn't work if ipf wont run...
(Which is the state my system was in for a few days)

	David

-- 
David Laight: david@l8s.co.uk