On Tue, 16 Aug 2005, Martin Husemann wrote:

> On Tue, Aug 16, 2005 at 05:16:41PM +0200, mouss wrote:
> > the interfaces are already configured by "network", so it is trivial to 
> > add ifconfig down. and at worst:
> >    for if in `ifconfig -l`; do ifconfig $if down; done
> > then do the opposite after security is "ok".
> 
> That would not work on several routers here - they configure for example
> gre tunnels that should not automagically go up.
> 
> > An alternative is to let pf get the IPs before they are configured.
> 
> Some interfaces do not have IPs (or the right IP) before they are realy UP
> (think PPP).

Exactly the problem in which i did run to. :-)
Best approach would be the suggestion from yamt, like enable pf with a 
default block all policy and when the network is up etc, load the 
/etc/pf.conf in pf.
Bye,

Mipam.