From owner-freebsd-questions Wed Oct 20 17:19:12 1999 Delivered-To: freebsd-questions@freebsd.org Received: from dt050n71.san.rr.com (dt050n71.san.rr.com [204.210.31.113]) by hub.freebsd.org (Postfix) with ESMTP id AF6EC14DEC for ; Wed, 20 Oct 1999 17:19:09 -0700 (PDT) (envelope-from Doug@gorean.org) Received: from gateway.gorean.org (gateway.gorean.org [10.0.0.1]) by dt050n71.san.rr.com (8.9.3/8.8.8) with ESMTP id RAA40388; Wed, 20 Oct 1999 17:18:45 -0700 (PDT) (envelope-from Doug@gorean.org) Date: Wed, 20 Oct 1999 17:18:45 -0700 (PDT) From: Doug Barton X-Sender: doug@dt050n71.san.rr.com To: "Ronald F. Guilmette" Cc: Phil Homewood , Tony Finch , freebsd-questions@FreeBSD.ORG Subject: Re: Stupid file system tricks. In-Reply-To: <16908.940401221@monkeys.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Tue, 19 Oct 1999, Ronald F. Guilmette wrote: > Thanks. That _would_ work, if I was willing to trust NFS. But my > (admittedly limited) understanding of it suggests that it is too > much of a security risk to run NFS on anything that is connected to > the public Internet. In a situation like yours you wouldn't have a security risk because you would only be connecting back to the local machine. With a little creativity you could set up the exports file so that only 127.0.0.1 could access the shares, and then with a combination of tcp wrappers and/or ipfw you can restrict access to the RPC services quite effectively. We use a combination of inside/outside interfaces and carefully constructed access rules to do just such a system at work, and I do the same thing at home. Good luck, Doug -- "Stop it, I'm gettin' misty." - Mel Gibson as Porter, "Payback" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message