19 Mar
2003
19 Mar
'03
7:26 p.m.
On Wed, 19 Mar 2003, Brian Long wrote:
:=The filer should live on your DMZ :) No holes through firewalls to :=worry about. In fact, it should be on a private VLAN that only your web :=server(s) can see.
Also, if it is necessary to have access to boxes inside your firewall access the filer, you can put in another ethernet card and have an interface on the DMZ and one inside the trusted network. Since the filer doesn't route packets the practical worry is greatly minimized.
I'd also deny any NFS traffic through the firewall and any traffic period to the filer that doesn't come from inside the DMZ as well as keeping a very tight lock on the exports file on the filer (including not exporting vol0 to anything inside the DMZ).
--
Dylan Northrup
northrup@loudcloud.com
Unix System Administrator
EDS Automated Operations