I've followed the relatively recent discussions of NFS servers and firewalls
(generally ==> don't do it). Agreed. However, I would like to occasionally
mount internal filesystems from the bastion host - e.g. run NFS client there.
This would be for use by the administrator of the bastion host (me) only - not
in any way a 'public' service. I'd manually (or automount) things when and as
needed. For example, a readonly partition containing tripwire and it's database.
Also, rw partition containing various scripts and admin tools that i'd as soon
NOT leave on the firewall itself.
So far as I can determine, there should be no particular risk in doing this.
It doesn't look like I'd have to run portmapper or any nfsiod's, and only root
could do the mounts. I.M.Cracker might get root on the bastion, discover the
remote filesystems, and then do bad things to them. By then, I'm pretty dark
toast anyhow... BTW - the filesystems in question would be exported ONLY to
the bastion host, and would NOT contain user files/logins and such.
I'd much rather ask a slightly dumb question than not ask and do a really dumb
thing, so -- have I missed something?
Thanks In Advance
-jim
Jim Bostwick
Cargill Inc.
|
|
