> 
> Greetings. NetBSD 1.6 ships with /sbin/setkey. setkey only makes 
> sense if IP forwarding is on. However, the sysctl setting 
> net.inet.ip.forwarding defaults to 0.
> 
> Either this should default to 1, or setkey should test for 
> net.inet.ip.forwarding being 1 and report if it is set incorrectly.

Setting net.inet.ip.forwarding to 1 by default would be a security risk
for those users that are not aware of its consequences and is appropriate
for most installations that don't required it.

As for setkey, it will only be executed if the system is configured for
IPSec. Proper configuration of IPSec requires extensive knowledge and those
who do will be aware of IP-Forwarding... ;-)

cheerio Berndt