2009/2/26 Alexander Hall <alexan...@beard.se> > Jean-Francois wrote: > >> Hi All, >> >> I actually built the following system : >> >> - OpenBSD running on a standard AMD platform >> - This box is actually used as firewall >> - This box is also used as webserver >> - This box is finally used as local shared drives via NFS file but only >> open to subnetwork through PF >> > > You _do_ have the same restrictions in /etc/exports, right? Otherwise > disabling pf (by accident or whatever) would expose your disks to the world. > > Assuming that subnetwork computers might be hacked or infected by any >> threat >> > > That would give them full access to the NFS shares > > Assuming that there is no mistake in PF rules >> > > ... but _if_? ... > > Assuming that there is nothing of a third party installed on the box >> (basically it's only a tuned system) >> > > "tuned" as in services turned on etc, I hope. Not "tuned" as in "tweaked > and unneccesary fiddled with". > > >> -> Would you please confirm that hacking is almost impossible ? >> > > No. > > -> Would you confirm any personnal datas hosted on server are safe as >> long as the (subnet is not compromised by false manipulation of course) >> > > This goes against what you wrote above about subnetwork computers might be > hacked etc, so ... no. > > > ##### # # ##### > # # # # # > ##### # # # > # # # # # > ##### #### # > > From what it looks like, I'd say you're safe enough, unless you keep > government secrets on your disks. :-) > > Personally, I'd really recommend having the firewall as firewall/gateway > only and have another computer (or two) for the other services though. > > /Alexander > >
> -> Would you please confirm that hacking is almost impossible ? > I will go out on a limb here and say: yes - PROVIDED it is never switched on and it is kept unplugged. Security is a process not a product.