Group,
Sorry for the unintentional curtness of this post....
I'm a bit decaffinated.
Humbly,
Steve
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Steve Fink
Sent: Saturday, April 27, 2002 10:22 AM
To: Tony; LEAF-List
Subject: RE: [Leaf-user] internal NAT question
Tony,
The use of ipmasqadm portfw allows the packets to pass untouched by
ipchains.
Steve
-----Original Message-----
From: Tony [mailto:[EMAIL PROTECTED]]
Sent: Friday, April 26, 2002 5:09 PM
To: Steve Fink; LEAF-List
Subject: RE: [Leaf-user] internal NAT question
Would not the ipchains/iptables rules be applied?
Could you not say forward only traffic from external_ip/32 to
internal_server/32 port 3389 or whatever and essentially say, yeah, this
port is open but only for this one client on the internet? All others would
be rejected/denied. Or am I mistaken, and that port forwarding bypasses all
rules.
Thanks,
Tony
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Steve Fink
Sent: Friday, April 26, 2002 3:55 PM
To: LEAF-List
Subject: RE: [Leaf-user] internal NAT question
Phillip,
The security implications are the same as having that port on that machine
exposed directly to the internet.
Example:
Portforwarding port 3389 ( Terminal Server ) from the firewall to port 3389
on a NT/2000 system behind the firewall.
Terminal Server is totally exposed, it's like taking a pipe and tunneling
all communications on port 3389 to the NT/2000 system. So if there is a
vulnerability in Terminal Server ( which there is ) then Terminal Server is
suceptable to this vulnerability, despite the fact that you have the
firewall in place.
During a scan of your firewall ( with port forwarding enabled on port
3389 ) you would see that port 3389 was open and accepting connections. So
you would know that there was a Terminal Server connection there, but the
TCP/IP signature and timing would look like a Linux box. Opening a Terminal
Server connection to the box would bring up a Terminal Server login screen
to a potential intruder. Then he/she could attempt to gain access using any
other information that could be gleened from the scan, and possibly guess
usernames/passwords etc, or use a known Terminal Server vulnerability to
gain access.
So in short, port forwarding is creating a tunnel from your firewall into
the internal system. Any traffic directed at your firewall on that port will
be transferred directly to the internal system.
Hope this helps,
Steve
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of
[EMAIL PROTECTED]
Sent: Friday, April 26, 2002 9:12 AM
To: [EMAIL PROTECTED]
Subject: [Leaf-user] internal NAT question
I have situations in which my vpn router is a peer to a proxy server.
The proxy server is the default gateway for the servers behind it.
Therefore I use NAT on the internal interface to force traffic to the
servers
back through the router.
This is approximately the same thing as port forwarding. Does anyone
know of any security implications in this?
Thanx.
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
