On Wed, Jul 05, 2006 at 02:36:44AM -0400, Nick Guenther wrote: > #pftcl -f all && echo "block all" | pfctl -f - > then the switch over to the new ruleset is pretty snappy and hardly > enough time for any malicious packets to get through.
Flushing the ruleset is totally unneccessary when loading a new ruleset. Simply do: # pfctl -f /etc/pf.conf If there is some kind of error in your new ruleset, nothing changes - you're still running with your old ruleset. There is no window with no firewall rules unless you explicitly ask for it. Even with a default block policy in the kernel, what if you load a pass all ruleset for "known/unknown" reasons? The fact is that if you're root, you can do stupid things. Get used to it, and grant access appropriately.
