Phillip, The security implications are the same as having that port on that machine exposed directly to the internet.
Example: Portforwarding port 3389 ( Terminal Server ) from the firewall to port 3389 on a NT/2000 system behind the firewall. Terminal Server is totally exposed, it's like taking a pipe and tunneling all communications on port 3389 to the NT/2000 system. So if there is a vulnerability in Terminal Server ( which there is ) then Terminal Server is suceptable to this vulnerability, despite the fact that you have the firewall in place. During a scan of your firewall ( with port forwarding enabled on port 3389 ) you would see that port 3389 was open and accepting connections. So you would know that there was a Terminal Server connection there, but the TCP/IP signature and timing would look like a Linux box. Opening a Terminal Server connection to the box would bring up a Terminal Server login screen to a potential intruder. Then he/she could attempt to gain access using any other information that could be gleened from the scan, and possibly guess usernames/passwords etc, or use a known Terminal Server vulnerability to gain access. So in short, port forwarding is creating a tunnel from your firewall into the internal system. Any traffic directed at your firewall on that port will be transferred directly to the internal system. Hope this helps, Steve -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of [EMAIL PROTECTED] Sent: Friday, April 26, 2002 9:12 AM To: [EMAIL PROTECTED] Subject: [Leaf-user] internal NAT question I have situations in which my vpn router is a peer to a proxy server. The proxy server is the default gateway for the servers behind it. Therefore I use NAT on the internal interface to force traffic to the servers back through the router. This is approximately the same thing as port forwarding. Does anyone know of any security implications in this? Thanx. _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user