Martin Husemann a écrit :

>I'm not sure what interface the script should set to down (and up after the
>fillter has been loaded), but wouldn't sysctl net.inet.ip.forwarding=0 work
>even better? This, of course, assumes a firewall with no local servers
>running (before the filter is loaded, at least).
>
>  
>
the interfaces are already configured by "network", so it is trivial to 
add ifconfig down. and at worst:
    for if in `ifconfig -l`; do ifconfig $if down; done
then do the opposite after security is "ok".
One issue I see though is that routes are added in "network", and these 
may result in errors if interfaces are down.

An alternative is to let pf get the IPs before they are configured. for 
example by parsing rc.conf (the same way network does). I'd however 
prefer an external file that would contain the IPs (and other options). 
something like
# cat /etc/netaddr
ex0   inet   10.1.2.3   255.255.255.0    $options
...
which can be readily parsed by a while read.