At 2:24 PM +1030 1/18/03, wulf@ping.net.au wrote:
>  >
>>  Greetings. NetBSD 1.6 ships with /sbin/setkey. setkey only makes
>>  sense if IP forwarding is on. However, the sysctl setting
>>  net.inet.ip.forwarding defaults to 0.
>>
>>  Either this should default to 1, or setkey should test for
>>  net.inet.ip.forwarding being 1 and report if it is set incorrectly.
>
>Setting net.inet.ip.forwarding to 1 by default would be a security risk
>for those users that are not aware of its consequences and is appropriate
>for most installations that don't required it.

Sounds reasonable.

>As for setkey, it will only be executed if the system is configured for
>IPSec. Proper configuration of IPSec requires extensive knowledge and those
>who do will be aware of IP-Forwarding... ;-)

Being aware of IP forwarding does not mean being aware that 
net.inet.ip.forwarding is not on.

So, should this be a bug report about setkey? That is, setkey 
shouldn't set up forwarding unless forwarding is possible?