LISTSERV - LSTSRV-L Archives - COMMUNITY.EMAILOGY.COM

LSTSRV-L Archives

LISTSERV Site Administrators' Forum

LSTSRV-L

	LISTSERV Archives
	LSTSRV-L Home

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Topic:	[<< First] [< Prev] [Next >] [Last >>]

Re: Changing where wa connects for ListServ messages?

Michael Loftis <[log in to unmask]>

Fri, 24 Mar 2000 17:26:00 -0700

TEXT/PLAIN (48 lines)

On Tue, 21 Mar 2000 [log in to unmask] wrote:

> Under Unix, you'd have to use NFS. However..

Yup...

>
> On Sun, 19 Mar 2000 16:06:57 -0700, Michael Loftis <[log in to unmask]> said:
> > >IS that possible?  I've several machines but only one runs a WWW server
> > >(for security reasons) and the ListServ machine is run on a seperate
>
> If you are only able to run a WWW server on one machine due to security
> reasons, NFS is probably *totally* out of the question.  In fact, I
> can think of *no* way for the WWW server to be able to access the archive
> files on the Listserv machine securely enough to not make it an issue.

No it isn't.  Using IPCHAINS for Linux I've already locked off the NFS
server.  I can also (and have) blocked all remote RPC type traffic.  This
allows the internal network to use NFS against the machine w/o
compromising security.  The access list is IP (not domain) restricted as
well.

>
> Either that, or your "security reasons" need to be re-evaluated.  Is
> the *real* problem that your firewall people are too lazy/lame/whatever
> to open up port 80 for a second machine?  Are the WWW and Listserv
> machines on different software platforms, and you don't have the in-house
> knowledge on how to secure an http server on your Listserv platform?

No the real problem is it cannot be done.  There are a limited number of
IPs available and there is no reason to waste one on the ListServ machine.
The other reason is the ListServ is on the other side of the DMZ of the
firewall.  Moving it into the DMZ would be a breach of security (because
it's used for other things) for one, and for two would require either
physical relocation of the machine to the server room (out of the
question, there isn't any space left) or dropping a new wire (also out of
the question because our security policy does not allow any DMZ computer
to reside outside of the secured and locked server room).

> If you could be more specific regarding what the "security reasons" are,
> one of the security-minded gurus on the list (I know there's at least
> a few ;) may be able to come up with a solution.
>
>                               Valdis Kletnieks
>                               Operating Systems Analyst
>                               Virginia Tech
>

ATOM RSS1 RSS2

COMMUNITY.EMAILOGY.COM