You are not logged in.
If I set up an apache box in my DMZ, with its $HOME on my internal NFS server, am I just asking for trouble?
Offline
If I set up an apache box in my DMZ, with its $HOME on my internal NFS server, am I just asking for trouble?
In my opinion YES! Cause NFS server is in Your LAN network and machines in DMZ (from definition) shouldn't have access to the internal network at all, only realted/established connections from LAN, and maybe SSH.
Maybe You should put NFS server in DMZ ?
Offline
tomk, I think the real question is.. why would you need to do that in the first place? perhaps an understanding of your reasoning and needs, would help to understand the balance between usability and security for your situation.
"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍
Offline
I like to think of the DMZ as what the name implies "an unprotected zone" and therefore anything in there can be compromized. Mind you, security in a network is never 100% "secure".
I would rather (matter of fact I do that) put the machine in the DMZ and set the specific ip of my machine as the only allowed to SSH to the server. Then using ftp mount I mount the directory from the web server into my system and update the web pages with absolute comfort ... just as if it was part of my system. When I'm done I'll unmount and that's it.
Hope this helps.
Rick
Offline
Thanks for the input, all.
Skyscraper - I know it's far from ideal. I'm just trying to gauge the risk level. And no, I can't put the NFS box in the DMZ - thanks for the suggestion, though.
Cactus - I need to do it because the large hard drive that I thought I'd be using in the web server turned out to be hosed. Currently, I'm not in a position to buy a replacement, so I have a much smaller drive in there, which holds the OS, but very little else. I need more space to hold submissions from users e.g.photos, video, etc, hence this dodgy idea.
ralvez - as above, this is not about building/maintaining the site. I can use your method or various others for that. It's about storage.
Any and all opinions/ideas appreciated. TIA.
Offline
Well, aside from swapping the drives out, or buying a new one, it sounds like it is your only real solution.
Just make sure you config the nfs sever to only allow nfs connection from that single host on the dmz, and make sure that your intermediary firewall only allows nfs to that single internal host, from that single host on the dmz.
pray, and make good backups.
"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍
Offline
Thanks cactus. Yeah, I'll tie it down to individual IPs/hostnames, and keep a close eye on the logs.
Offline
(Many weeks later)
I've gone for NFS over SSH in the end, in case anyone's interested. Just one pinhole from DMZ to LAN on port 22, all traffic encrypted, dedicated user on NFS server locked down to one command.
Found the details here (mostly) - when I get the time, I'll add an updated version to the wiki.
Offline
Well, I'm glad you got it figured out. I still think it's kind of silly to have a DMZ when you have your $HOME right on there, but clearly it's what your needs are
Offline