Herb Peyerl <hpeyerl@novatel.ca> wrote:

> There were two suggestions.  One was a sysctl which I'm not fond of in
> that situation because should someone gain root on the firewall (well,
> in that case you're screwed anyhow but) then they can easily enable
> forwarding without attracting too much attention.

I guess you could argue that perhaps ipforwarding should be readonly
when the kernel security level is multiuser ?

-- 
Me: Ronald Khoo  Food: Roti Chanai  Drink: Tea, weak, milky without sugar
In Malaysia: ronald@cpm.com.my  +60 3  241 5232  Computer Protocol Malaysia
In England:  ronald@demon.net   +44 81 349 0063  Demon Internet Services