[SlugBug] sharing a file system between a DMZ and private network.
David Holden
dh at iucr.org
Tue Sep 30 14:46:12 BST 2003
On Tuesday 30 Sep 2003 1:09 pm, Bruno Postle wrote:
> On Tue 30-Sep-2003 at 11:03:20AM +0100, David Holden wrote:
> > The typical firewall setup is private/DMZ/public. Does anyone know
> > of ways of addressing the problem of machines in the DMZ accessing
> > file systems located on machines in the private area and vica
> > versa.
>
> This is the kind-of thing that firewalls and "de-militarized zone"
> arrangements are designed to _stop_ you doing..
>
> Can you rearrange the network so that the data is stored in the DMZ?
> This is generally what you need a DMZ for in the first place.
>
> ..or if the data isn't changing all the time, you could rsync it
> from your internal network to the machines in the DMZ.
>
> > I know it would be possible to configure NFS access between
> > the two but this involves opening quite a view ports
>
> It's worse than that, NFS uses random port numbers.
yes I'm aware of all the above. I can configure the firewall to allow NFS
access between the DMZ and private network, but as you mention this involves
opening a range of ports because of how NFS works.
There is obviously a lessoning of security by do this, the problem is that
although most data can be rsync'ed where needed on both networks, there are
some time critical files that are need both on the internal and DMZ networks,
.e.g.
A file may be created on filesystems in the private area but been needed
almost instantly in the DMZ and vica versa, I'm sure this must be a problem
for other people I was wondering if anyone had come up with a solution?
Dave.
--
Dr. David Holden. (Systems Developer)
Crystallography Journals Online: <http://journals.iucr.org>
Thanks in advance:-
Please avoid sending me Word or PowerPoint attachments.
See: <http://www.fsf.org/philosophy/no-word-attachments.html>
UK Privacy (R.I.P) : http://www.stand.org.uk/commentary.php3
Public GPG key available on request.
-------------------------------------------------------------
More information about the SlugBug
mailing list