On Sun, Jul 16, 2006 at 07:02:00PM -0500, Travis H. wrote: > On 7/15/06, Ryan McBride <[EMAIL PROTECTED]> wrote: > >Root can do stupid things which compromise security. Obfuscation or > >needles complexity in an attempt to protect yourself from the root > >account will only make your system less secure. > > If every ruleset needs to put a rule in to default to blocking > packets, then that's needless complexity to me.
No, needless complexity is a compile time option that makes it impossible to know whether a given installation needs the block rule or not. > >Because the /etc/rc ruleset is only temporary, and quite small, I don't > >see the point in making performance-related changes to it (particularly > >performance-related changes that one would have a hard time measuring > >the effects of) > > I doubt it could hurt. > > >> and make some allowance for DHCP. > >DHCP uses bpf(4), and is unaffected by pf rulesets. > > Ah, learn something new every day. > > I suppose the outbound packets are passed by the ruleset, so it makes > no difference that they have a SRC IP of 0.0.0.0... packets are sent using bpf(4) so ruleset does not really matter. Can