On Mon, 19 Oct 2015 12:47:46 -0600
Theo de Raadt <dera...@cvs.openbsd.org> wrote:
> > > The supplied patch allows the rc.conf(8) pf
> > > variable to be set to MINIMAL (in addition to
> > > the current YES and NO). A setting of MINIMAL
> > > loads the rc(8) default pf ruleset and enables
> > > pf. MINIMAL means that rc(8) does not load
> > > /etc/pf.conf. Any loading of /etc/pf.conf
> > > is left to the sysadm.
>
> I read your explanation, but I really don't see the point.
Consider what happens when the IP number
of some server, say an SMTP server, is changed.
1) DNS must be updated.
2) On the firewall the pf rules or some pf table
content must be changed. But keeping a single
IP, like that of an SMTP server, in a table is
inefficient and overly complicated. So pf.conf
must be edited. (Most rules are kept in files
and are not programmatically generated.)
3) Then the rules must be reloaded.
But if you write DNS names into your pf.conf
file then step 2 can be eliminated. All
that's required is to reload the rules.
Eliminating an extra editing step reduces
error.
Regards,
Karl <k...@meme.com>
Free Software: "You don't pay back, you pay forward."
-- Robert A. Heinlein
