On Sat, 27 Jan 2007 17:50:05 +0100 (CET), Nomen Nescio wrote:

> Is there a way to either delay the sending of these
> presumably OpenBSD-generated packets until after PF has
> come up fully or perhaps enable PF sooner? I'm wondering if
> the timing of these packets could be important ; and the fact
> that two packets always appear to be leaving my system before
> PF even has the ability to track them.

Take a look at the temporary ruleset in /etc/rc. This is loaded
before your real /etc/pf.conf, and is briefly active. If you
want to block inet6 there (which is not recommended in general),
feel free to do so.

Obviously, pf cannot see, count, or block any packets before
it has been activated with the 'pfctl -e' call in /etc/rc.
Anything going out before that point will simply pass.

I'm not sure I understand why you'd obsess over a couple
of IPv6 neighbour solicitation packets going out (to the
local network) on boot. I guess for most people, this is not
an important point, and you'll have to tweak your rc scripts
if you really want to prevent them.

Daniel