Over in the comp.unix.bsd.freebsd.misc news group, there's a discussion about what happens when PF loads, specifically a perceived 'window of opportunity' for an attacker in the interval between PF getting enabled and the rule set loading, and what happens if the rule set you load at boot time is an empty or invalid rule set.
On FreeBSD, it is possible to compile your kernel with options to make 'block all' the default in absence of a rule set. This apparently works for all the other firewall systems supported by FreeBSD, but not PF. You should not be surprised to learn that there are people who feel that this feature, described as 'booting to a safe state regardless of failure or success of ruleset load' is a necessary feature of 'any firewall worthy of the name'. I'm trying to make up my mind whether some way to set PF to 'block all' default outside of the rule set itself is a desirable feature. For a bit of context, the thread in question starts at <[EMAIL PROTECTED]> -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/ "First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales"