Hey, On the FreeBSD pf list someone mentioned that they wanted the ability to have a "default deny" policy with pf, like the old ipf kernel option. That reminded me that I thought the same thing when I started with pf. I know, I know, it's not a terribly useful setup until the pass rules get loaded, but by enforcing "default deny" in both pf and in the rules, you're less likely to forget it in one place or the other. And yes, I'm aware that it is enabled in /etc/rc before /etc/netstart is even called.
Also, it's right in line with OpenBSD's "default secure" ideology. BTW, the ruleset loaded in /etc/rc could use "set skip" on lo0, and quick rules, and make some allowance for DHCP. -- ``I am not a pessimist. To perceive evil where it exists is, in my opinion, a form of optimism.'' -- Roberto Rossellini http://www.lightconsulting.com/~travis/ -><- GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484