On Tue, 18 Jul 2006, Can Erkin Acar wrote: > On Sun, Jul 16, 2006 at 07:02:00PM -0500, Travis H. wrote: > > On 7/15/06, Ryan McBride <[EMAIL PROTECTED]> wrote: > > >Root can do stupid things which compromise security. Obfuscation or > > >needles complexity in an attempt to protect yourself from the root > > >account will only make your system less secure. > > > > If every ruleset needs to put a rule in to default to blocking > > packets, then that's needless complexity to me. > > No, needless complexity is a compile time option that makes it > impossible to know whether a given installation needs the block rule > or not.
I'd just prefer that deny-all was the default and not an option at all. Mismatches between pfctl and the kernel happen on -current from time to time, and I think being locked out is better than falling back to permit all... -d