Re: Is NFS export r/o safe from lan to dmz?

[NN_il_Confusionario <pinkof.pallus@tiscalinet.it>]

On Mon, Mar 03, 2008 at 09:51:47AM +0100, Peter Teunissen wrote:
> On Mon, March 3, 2008 06:56, NN_il_Confusionario wrote:
> > perhaps a minimal and secure (or at lest much less complex and so safer
> > than the portmap/nfsd deamons) web server on the machine hawing the
> > files, plus a reverse proxy web server on the machine in the dmz (or a
> > direct port forwarding on the router/firewall).
> 
> I was thinking of using the reverse proxy setup.
> How would portmapper/nfs be more vulnerable then apache2?

I was NOT talking about apache in the LAN. If you already need apache in
the DMZ, then you can configure it to work also as reverse proxy. But in
the LAN I would only put a minimal/secure web server: it only serves
static files, with no ability for cgi/ssi/php/whatever, and runs as non
root user chrooted in a directory where it can read files but not write 
or execute them. Debian has many such minimal web servers (and
debian-devel is discusssing in these days whether there are already too
many or conversely not sufficiently many).

-- 
Chi usa software non libero avvelena anche te. Digli di smettere.
Informatica=arsenico: minime dosi in rari casi patologici, altrimenti letale.
Informatica=bomba: intelligente solo per gli stupidi che ci credono.