/* Jim Klun [jklun@stercomm.com] writes: */
What type of internal "trusted network" clients were there? NT, Unix?
It was strictly UNIX, but I think this scheme would have benefited CIFS clients even more...
How did you cleanly get the internal clients to pick up inbound FTP files?
The internal clients talked to the filer on the "internal" interface.
Are there legitimate concerns about an NFS based attack on the filer itself?
Of course (and more), that is why I advocated the "back-door" network. I didn't want ANY packets from foreign hosts to touch the filer interfaces. Perhaps a drawing would help...
+---------+ 'da____|Firewall |_____ INTERNAL---------/clients/ NET | | NETWORK +----+----+ | | |e1 DMZ ------- |ep0 |filer| -------- ------- | FTP |ep1 |e2 | host |----------+ --------
ep0 and ep1 are ethernet interfaces on the FTP host e1 and e2 are ethernet interfaces on teh filer
ep1 was connected to e2 with a simple crossover cable.
Internal clients talked to the filer over e1 as expected, and the public FTP host used it's ep1 to talk to the filer's e2 interface. The packets never had to go through the firewall, and the filer was simply configured to allow only certain mount request from the FTP host. Routing on the FTP host was obviously turned off, and was "secured" (meaning only running what it required). Access was available only from the console or RSA authenticated SSH connections.