> Since the Firewall vendors we contacted don't
>seem to pass NFS data, the solution being considered is
>to have one computer with two ethernets, one on the
>protected and one on the unprotected network. This
>computer will make the data available via NFS to
>hosts on the unsecure net.
Do you want security, or do you want NFS? Pick one.
Seriously, though, it's probably possible to do what
you propose but it might be a lot of work. You'll also need
to run portmapper and a bunch of other stuff on that machine,
which might have holes in it (I say "might" because they have
in the past). You'll also need to make sure filesystems are
exported readonly and if possible mounted noexec and nosuid
on the server.
For what setting the machine up and configuring it
right will likely cost, you could probably buy a few gigs of
hard disk space and have the inside server periodically
shove a complete disposable copy of the dataset to the
outside machine via FTP mirroring or whatnot. Obviously, if
you have terabytes of data then that's another problem (and if
you have terabytes of data you currently make available by NFS
you may already have a problem).
Generally, the rule of thumb I like to follow is
when you're making data available to the public from the
inside of the perimeter, have a means of shoving a copy from
the inside to the outside automatically. That way it's easy
to clean it up and you don't have to have an inside machine
trusting some outside machine that connects up to it requesting
From: "John D. Smith" <jsmith @