On Tue, Nov 15, 2005 at 05:11:25PM +1100, Damien Miller wrote: > Why is setting a "block all" before any interfaces are configured up not > sufficient?
I guess he recompiles all his kernels with 'options IPFILTER_DEFAULT_BLOCK' on principle. The principle being that it sounds more secure. It wasn't enabled by default on OpenBSD. And I've never seen anyone enable it. Well, maybe except for some heresay from people who shot themselves in the foot with it. Believe it or not, we now survived more than four years without that feature, and noone ever complained (much less called it a 'fatal flaw'), so you'll have to excuse me for, well, *yawn*. Daniel
