derive IP address(es) from the interface (e.g "... from any to fxp0").
This however, creates window for possible attacks from the network.
Implement the solution proposed by YAMAMOTO Takashi:
Add /etc/defaults/pf.boot.conf and load it with the /etc/rc.d/pf_boot
script before starting the network. People who don't like the default
rules can override it with their own /etc/pf.boot.conf.
The default rules have been obtained from OpenBSD.
No objections on: tech-security
If extracting -s etc.tgz to a temporary directory, don't run the
embedded etc/postinstall since it doesn't exist anymore.
Remember the original SRC_DIR passed in (e.g, "-s etc.tgz") and
display that in the suggested "fix" message, rather than a temporary
path to the extracted etc.tgz which won't be correct for the next run.
