[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Is NFS export r/o safe from lan to dmz?

On Tue, Mar 04, 2008 at 08:32:50AM +0100, Peter Teunissen wrote:
> On Mon, March 3, 2008 21:00, NN_il_Confusionario wrote:
> > On Mon, Mar 03, 2008 at 12:03:32PM -0500, Douglas A. Tutty wrote:
> >> Wouldn't a chrooted ftp server do the same thing?
> >
> > ftp is a intrinsecally more complex protocol than http (see the problems
> > for firewalls with active/passive ftp...
> >
> > Moreover, the security history of ftp daemons is worse than the security
> > history of http daemons (and it is possibly even worse than the security
> > history of portmap/nfsd)
> >
> 
> Neither ftp not minimalistic http would work in this case. Ftp is to
> unsafe and minimal http wouldn't be sufficient for the streaming scripts /
> mods.
> 
> I think rsync would be the only viable option. I'll go shopping for some
> diskspace...

You may not need much diskspace, just rsync the requested file
on-the-fly and remove it when the user is finished with it.  I also
think that this was the intention of the minimal http or ftp server:
send the file and let the http server on the DMZ box serve the file to
the 'net.

Doug.
Reply to: