A number of years ago, I did something similar, except that I had 2nd interfaces on both my filer and the "DMZ" host. I simply connected them back to back and made the obvious access restrictions so the DMZ host could only mount what it was supposed to, couldn't telnet to the filer, ...
There were 2 main advantages for doing it this way in this client's case.
1. Exclusive access to the filer's interface made data transfers much faster.
2. Changes to their firewalls and network configurations would not change how the DMZ host could access the filer.
Eventually they simply put the filer interface on the DMZ network with appropriate changes to their firewalls to keep outside hosts from talking to the filer(s) directly. This provided them additional scalability. I still think they should have just gone from doing a back-to-back connection to putting the 2nd interfaces (filer and DMZ) onto the same switch/hub and scaled that way.
~mitch
/* Jim Klun [jklun@stercomm.com] writes: */
I am contemplating this architecture:
INTERNET | CISCO PIX FW ------- DMZ FTP SERVER | | ------------------------------ | | | | NT CLIENT NETAPPThe DMZ FTP Server would have an a UDP NFS mount THROUGH THE FIREWALL into [...]