Jean-Francois wrote:
Hi All,
I actually built the following system :
- OpenBSD running on a standard AMD platform
- This box is actually used as firewall
- This box is also used as webserver
- This box is finally used as local shared drives via NFS file but only
open to subnetwork through PF
You _do_ have the same restrictions in /etc/exports, right? Otherwise
disabling pf (by accident or whatever) would expose your disks to the world.
Assuming that subnetwork computers might be hacked or infected by any
threat
That would give them full access to the NFS shares
Assuming that there is no mistake in PF rules
... but _if_? ...
Assuming that there is nothing of a third party installed on the box
(basically it's only a tuned system)
"tuned" as in services turned on etc, I hope. Not "tuned" as in "tweaked
and unneccesary fiddled with".
-> Would you please confirm that hacking is almost impossible ?
No.
-> Would you confirm any personnal datas hosted on server are safe as
long as the (subnet is not compromised by false manipulation of course)
This goes against what you wrote above about subnetwork computers might
be hacked etc, so ... no.
##### # # #####
# # # # #
##### # # #
# # # # #
##### #### #
From what it looks like, I'd say you're safe enough, unless you keep
government secrets on your disks. :-)
Personally, I'd really recommend having the firewall as firewall/gateway
only and have another computer (or two) for the other services though.
/Alexander
