IMHO, putting a box on the interweb has security implications. But port-forwarding in itself isn't exactly a security problem. I use port forwarding to forward packets do a dmz, so on the off-chance that I am r00t'd, all they have access to is the dmz. They still would have to be real sneaky to get into my internal network, unless they can exploit the firewall which isn't running any services.
>From my understanding, using port forwarding into a dmz is a very good idea. Running services on your firewall is a much greater risk than port forwarding, since if the firewall is r00t'd, then they control the access point to the interweb and can sniff user/pass at will, and do whatever else they feel inclined to do. Not trying to start a huge thread or a flame, but pointing out that port-forwarding in itself doesn't have any security implications, it's the implementation of port-forwarding that can have security implications. My .03, adjusted for inflation Steven "exitus acta probat" "fide, sed cui vide" -----Original Message----- From: Phillip Hofmeister [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 13, 2002 6:42 AM To: [EMAIL PROTECTED] Cc: debian-security@lists.debian.org Subject: Re: Emulate real ip's to access intranet hosts from outside I think it is worth pointing out that port-forwarding has security implications. If one of your services is compromised (even if it is not running as root) the attacker now has a good amount of access to your local/internal network. I would only forward ports when absolutely needed and only to a service that I absolutely trusted. Phil
