> If someone connects to PC Anywhere from outside the internal network,
> through the card that faces the external network, can they can access to
> the internal network?
i'm going to have to say "yes". ip forwarding, in my experience,
constitutes the ability of packets traversing a router or host to be
forwarded between the appropriate interfaces, which does not usually
apply to locally generated traffic. packets of this type are usually
not targeted at the machine itself, but a machine within one of the
subnets located on either side of the 2 NICs.
> Given that IP Forwarding is disabled I would imagine not. But as using PC
> Anywhere is just like sitting at a machine I wondered if anyone could
> confirm my guess.
You just hit the nail on the head. Since the pc-anwhere-ee is
considered a local user, the packets are being generated at the machine
itself, not traversing the machine as if it were a router. My guess is
that even if the user comes in on the outside interface, a packet
targeted at the internal network will be looked up in the routing table
and routed to the appropriate NIC, just as if the person were sitting at
the console of the machine. Terminal Services will most likely have
the same effect - again, the user would be generating traffic local to
the machine's routing table.
Giving external users access as a normal, unprivileged windows user with
a desktop account is dangerous, no matter how you slice it, let alone if
the machine has access to an internal network.
A more appropriate solution to this problem would be to implement
state-based filters in between the host and the internal LAN that allow
traffic to traverse the internal LAN only if the handshake SYN came from
that direction.
--
[ rich henning ] /"\
[ [EMAIL PROTECTED] ] \ /
X
support the ascii ribbon campaign against html e-mail / \
