On 7/15/06, Ryan McBride <[EMAIL PROTECTED]> wrote:
Root can do stupid things which compromise security. Obfuscation or needles complexity in an attempt to protect yourself from the root account will only make your system less secure.
If every ruleset needs to put a rule in to default to blocking packets, then that's needless complexity to me.
Because the /etc/rc ruleset is only temporary, and quite small, I don't see the point in making performance-related changes to it (particularly performance-related changes that one would have a hard time measuring the effects of)
I doubt it could hurt.
> and make some allowance for DHCP. DHCP uses bpf(4), and is unaffected by pf rulesets.
Ah, learn something new every day. I suppose the outbound packets are passed by the ruleset, so it makes no difference that they have a SRC IP of 0.0.0.0... -- ``I am not a pessimist. To perceive evil where it exists is, in my opinion, a form of optimism.'' -- Roberto Rossellini http://www.lightconsulting.com/~travis/ -><- GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484