> Anyways, since in my case, I only need a read-only export, I can also go with > sharing the files via http. > Both networks that are separated with the firewall, have about the same trust > level. > So now someone could argue, why the hell a firewall in there at all, but > that's a different topic ;) > > So let me shut up and forget about it.
Essentially at that point, allowing the RPC range in from your http servers to your read only NFS server across the firewall doesn't really have any different impact than doing it only with one port. More importantly, having the rules there saying "for NFS export" are a nice glaring thing reminding people about the "why the hell have a firewall there at all" issue so it could eventually be solved. Personally I've always done this with the read only nfs server *outside* sharing to the http servers, and an internal server that all the changes are made on, with a "publish" mechanism (script, or button that runs a script, or even a cron job) that rsync's changes from the internal server to the external server via ssh.. You can then have a tiny little http server on the inside, visible only to the inside. for your people to vet the changes before publishing them. Then you only need to allow ssh outbound to rsync the content out, and your firewall might do something meaningful :) -Bob
