> Is it any safer to offer services (Like a web server.) one layer back from
> the firewall by enabling port forwarding?
> I.E. If I offer a service via port forwarding and someone "breaks" it,
> would any shell caused by this be forwarded also or would the connection be
Well, that depends on the nature of the exploit. The forwarded port
will keep forwarding. And once someone has root access he can change
your configuration to suit his ends.
IMO port forwarding into the trusted part of the network can only
A better approach might be to place a webserver and other vulnerable
things in the DMZ (De-Militarized Zone) where a security compromise
won't affect your core network. Of course you would still do
everything you can to make those servers secure, and you would also
use detection devices like tripwire to alert you to a security breach.