# What is the risk for echo 1 > /proc/sys/net/ipv4/ip_forward

## shallpion

I am setting an openvpn server on my machine, which is under a router's NAT so I have to set port forwarding on the router. Also I learned I have to echo 1 > /proc/sys/net/ipv4/ip_forward to enable the ip forwarding on the vpn server. However I read from the handbook

http://www.gentoo.org/doc/en/security/security-handbook.xml?part=1&chap=9&style=printable

that it is unsafe to set this flag on a normal machine which is only occasionally used as vpn server. Can anybody please kindly explain why this is not safe? Thanks  :Smile: 

----------

## Dont Panic

I don't think they were trying to say that setting up port forwarding was unsafe in all circumstances.

I believe port forwarding falls under a large class of Linux capabilities that should be turned off by default, and only turned on when you start doing something that needs it.

Just be aware that you have poked a hole in your security that will let outside world test the robustness of the applications listening on those ports.  It's increases your risk, but many of us do it.  It's up to you to decide if your application is tough enough to fend off idle probes.

----------

## Hu

The risk depends on what firewall rules you loaded, and on how well the internal systems can protect themselves.  For example, if every internal host has its own strict firewall, then the risk is minimal, since any attacker who traverses the gateway will be blocked by an internal firewall anyway.  On the other hand, if you have an internal host running Windows, you should examine the firewall rules on the gateway to ensure you do not forward traffic to the Windows system.  Better yet, you should probably examine the firewall rules to ensure it simply will not allow the Windows system to use the network.  :Wink: 

----------

## shallpion

That is really helpful  :Smile:  Thank you guys

----------

