At 07:30 PM 11/30/99 -0500, James Wetterau wrote:
>Right, and if I tell my machine I want ipfiltering and ipnat'ing by
>explicitly setting them to "YES" in rc.conf, I think the system should
>turn ipforwarding on (i.e. do the sysctl for me at boot time), even
>though it starts out as off by default.  There is no way I can want
>those two options set to "YES" in /etc/rc.conf and not also want
>ipforwarding set from 0 to 1, no?

At least for ipfilter, it is *very* useful in many cases to have
ipforwarding off. 

Example 1: You have one interface of your machine connected to the
Internet, and another connected to an internal network; everyone else on
the internal network uses a different gateway (not you) to get out to the
Internet. So, you want to protect yourself from the rest of the world, but
have no desire to route packets for anybody else.

Example 2: Your machine *is* the private network's main gateway, but it's
setup to operate purely as an application-level proxy - no packet
forwarding allowed. Being a paranoid person, you want to run ipfilter too,
for that added level of comfort.

As far as ipnat, using that in a situation where ipforwarding is off seems
less likely, but I'm sure somebody will think of a reason given enough time
;-)

Perhaps a compromise could be to add a note to rc.conf reminding people
that they need to turn ipforwarding on (hmm, I don't even remember doing
that on my system - I thought it had just happened because I have multiple
interfaces, but maybe I turned something on somewhere and have forgotten
about it...)