On Sun, Mar 02, 2008 at 11:13:20PM +0100, Peter Teunissen wrote: > If the export would be r/o, what would be the risk of such a setup?
I don't know their current status off the top of my head, but I seem to recall nfs/portmapper having a somewhat questionable early security history. They may be completely cleaned up now. They may not. Personally, I wouldn't want to risk it. Also, just as a matter of principle, I'm something of a purist about maintaining the closest possible approximation of a "the DMZ can open very limited connections to the outside world and absolutely nothing into the secure network" model. Every protocol on which the DMZ can contact the secure network is a ready-made attack vector for anyone who compromises a DMZ host. > (I don't > have the diskspace to keep a complete copy of all the files on the > dmz, so something involving rsync is out of the question). Disk is cheap these days. Go to newegg.com and drop $60 on a 250G hard drive. That should be large enough for you to rsync your entire music collection to the DMZ box (with periodic updates initiated from the secure network, so the DMZ is only receiving connections, not initiating them) and, even if you're making minimum wage, will probably cost less than the equivalent value of the time you would have spent on securing nfs and ensuring that it stays secure afterwards. Not to mention the headaches of synchronizing numeric user ids across the nfs-using hosts without using nis... (I haven't used nis for a few years either, but I seem to recall it having a number of avenues by which it can be abused even without needing to compromise it per se, so using nis in the DMZ, whether it's able to connect to the secure network or not, seems like a really bad idea.) -- News aggregation meets world domination. Can you see the fnews? http://seethefnews.com/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
