George Michaelson <G.Michaelson@cc.uq.oz.au>  wrote:
 > Anybody have any idea what NetBSD maybe should do by default? Seems to
 > me that disabling forwarding doesn't neccessarily imply no packet transit
 > through the kernel, and that a distinct option in the kernel config might
 > be wanted to make a box into a firewall.

I also disable forwarding on our firewall box and I've thought about
how to make this easily configurable without being too easily configurable.

There were two suggestions.  One was a sysctl which I'm not fond of in
that situation because should someone gain root on the firewall (well,
in that case you're screwed anyhow but) then they can easily enable
forwarding without attracting too much attention.

The next option was an "option" which I'm also not fond of because there
are altogether too many options... 

I also wanted to put in some logging whereby if someone did send a source
routed packet and forwarding was disabled, then it would log as much about
the packet as it knew... 

Discussion?