Support loading a default pf ruleset in case of invalid pf.conf.
If no pf rules are loaded pf will pass/allow all traffic, assuming the
kernel is compiled without PF_DEFAULT_TO_DROP, as is the case in
In other words: if there's a typo in the main pf_rules we would allow
all traffic. The new default rules minimise the impact of this.
If $pf_program (i.e. pfctl) fails to set $pf_fules and
$pf_default_rules_enable is YES we will load $pf_default_rules_file if
set, or $pf_default_rules.
$pf_default_rules can include multiple rules, for example to permit
traffic on a management interface. Seperate multiple rules with \n:
$ sudo sysrc pf_default_rules
pf_default_rules: block drop log all\npass quick on em0
pf_default_rules_enable defaults to "NO", preserving historic behaviour.
man page changes by ceri@.
Sponsored by: semaphor.dk