Question on the safety sharing NFS with untrusted machines.
I'm looking at re-arranging my network, which currently consists of an
ipmasq box with 3 nics, one going to the outside, one going to a DMZ,
and one going to an internal network. The masq box allows a few
services into machines in the DMZ, restricts the DMZ from getting
outside except in response to incoming requests, allows one machine in
the internal network to ssh into machines in the DMZ, and otherwise
disallows the DMZ machines to get into the internal network.
My problem is, I need to have a network mount shared between a machine
in the DMZ ("untrusted") and machines in the internal network.
Hosting NFS on the ipmasq box is not an option for me.
So my question is, is it safer to host the NFS from the DMZ and mount
remotely on machines in the internal network, or host the NFS from a
machine on the internal network and remotely mount in the DMZ? Or
does it matter? Any suggestions or pointers to relevant docs would be
greatly appreciated. Also, does anyone know what traffic, at minimum,
I need to allow to share NFS?
"Practice allows me to receive information like faxes."
To UNSUBSCRIBE, email to email@example.com
with a subject of "unsubscribe". Trouble? Contact firstname.lastname@example.org