FW: securing a network with nfs

From: Dave Vehrs (davev@spiremedia.com)
Date: 08/10/01

From: "Dave Vehrs" <davev@spiremedia.com>
To: <focus-linux@securityfocus.org>
Subject: FW: securing a network with nfs
Date: Fri, 10 Aug 2001 13:48:27 -0600
Message-ID: <000801c121d5$6d58c790$9701010a@spiremedia.com>

It sounds like you are trying to reinvent the DMZ.

Place all externally accessible systems into the DMZ, then instruct the
firewall to only allow traffic from the DMZ hosts to the NFS server on
specific ports/services. Additionally, this keeps your "public" servers
behind the firewall too, so you can limit access to them to only required
services (i.e. http on the web server, pop3/smtp on the mail server. etc.)

Like this:

   DMZ Internal Network

 ------- ------------
| Mail |---- | NFS Server |
 ------- | ------------
             | |
 ------- ----- ---------- ----------------
| Other |--| HUB |-| Firewall |-| Inside Network |
 ------- ----- ---------- ----------------
             | |
 ------- | |
| Web |---- |
 ------- |
                  | Outside World |

This is fairly easy to do with Linux or *BSD, and I would recommend taking a
look at:
        Linux Firewalls by R. Ziegler
        Building Linux and BSD Firewalls by ??


Dave V.

Relevant Pages

  • Re: Unable to join AD domain from DMZ network
    ... To me that points to something outside the machine (Firewall most likely culprit) ... > the captured traffic between the server in DMZ to the DC from internal ... >>> authentication from DMZ to 2003 AD internal network. ...
  • Re: Best practice to setup a DMZ? (hyperV and guests)
    ... this time with an edge server (its my understanding that the ... So my goal here is to setup this edge server for OCS and setup exchange 2010 ... correctly dmz wise (not clear on how that would be yet.. ... The most common setup is the back to back firewall model, where you have one firewall between the Internet and the DMZ and another between the DMZ and the LAN. ...
  • Re: Member Server Login Slow DMZ-Internal Subnet
    ... But did I mention that the firewall log showed a successful port 53 ... connection to each DC from the DMZ machine? ... the DMZ machine is the closest AD DC DNS. ... Member Server which was originally installed in the internal subnet ...
  • Re: Server hacked/being used as spammers haven...
    ... Given it's position in the dmz and not sure what firewall has been protecting it, your best bet is to have someone review the box in detail. ... The DMZ is not a protected area, it allows ALL internet traffic to your server - and that's VERY BAD - you may as well have just connected it directly to the ineternet and put out a sign that says FREE SERVER - HACK HERE. ... No, you need a real firewall, and then go with a single NIC and then you can VPN into the firewall itself, then create rules in the firewall that allow access to the network. ...
  • Re: Setup DNS for internal users but keeping namespace same for ex
    ... What is the firewall make and model? ... Many firewalls have a DMZ function. ... without having to go out to the FW and a public DNS thus ... >> Why not locate the server in a DMZ. ...