Am Donnerstag, 18. Oktober 2012 20:50 CEST, Bob Beck <b...@obtuse.com> schrieb: > > Anyways, since in my case, I only need a read-only export, I can also go > > with sharing the files via http. > > Both networks that are separated with the firewall, have about the same > > trust level. > > So now someone could argue, why the hell a firewall in there at all, but > > that's a different topic ;) > > > > So let me shut up and forget about it. > > Essentially at that point, allowing the RPC range in from your http > servers to your read only NFS server across the firewall doesn't > really have any different impact than doing it only with one port. > More importantly, having the rules there saying "for NFS export" are a > nice glaring thing reminding people about the "why the hell have a > firewall there at all" issue so it could eventually be solved. > > Personally I've always done this with the read only nfs server > *outside* sharing to the http servers, and an internal server that all > the changes are made on, with a > "publish" mechanism (script, or button that runs a script, or even a > cron job) that rsync's changes from the internal server to the > external server via ssh.. > > You can then have a tiny little http server on the inside, visible > only to the inside. for your people to vet the changes before > publishing them. > > Then you only need to allow ssh outbound to rsync the content out, and > your firewall might do something meaningful :)
I did not really explained my use-case in the first place, which I probably should do before I really shut up ;) What I'm doing on the NFS server is mirroring installation sources for some Linux distribution in order to have them locally available. In order to not have multiple copies for each network, I need to make them somehow available there. The firewall sits in the middle. My plan was to use export the drive read-only into the other networks, nobody needs to write on it. For my use-case, I can also use http server to accomplish the same. Why NFS in the first place? Its the same way I do it on other places, but from a Linux server, therefore I had a bit of consistency in mind, and wanted to do it the same way here. But as said, for my use case, I can also switch to http to get to the same result. thanks, Sebastian > > -Bob
