[clug] exposing a CVS repository to the internet

Rasjid Wilcox rasjidw at openminddev.net
Sun May 25 23:18:04 EST 2003

On Saturday 24 May 2003 15:11, James Ring wrote:
> Hi all,
> I was wondering, what is the 'accepted' way of exposing a CVS repository
> to the internet (for read-only access). My CVS repository is stored on a
> fileserver on my local segment (, and my website is
> hosted on a DMZ separated by a firewall. This firewall permits no
> connects from the DMZ to the local network.
> For me, the most convenient way is to allow the web server to mount a
> NFS on the fileserver through the firewall, but I am concerned that this
> will be too dangerous if somebody manages to compromise the web server.

One option might be to get the webserver to export a NFS share which is 
writable by the local network.  Although NFS security is IP based, your 
firewall should be protecting you from IP spoofing (I hope!), and should be 
allowing NFS access to the LAN only anyway.

The main thing here is that you want to keep your 'firewall permits no
connects from the DMZ to the local network' in place.  Assuming that you have 
a stateful firewall, a solution that relys on your local network initiating 
the connection is probably okay.

The rsync solution also sounds good to me.  Again it allows for all 
connections to be initated from the LAN, not from the Webserver.

Caveat: I am not a security expert.  :-)




Rasjid Wilcox
Canberra, Australia  UTC + 10

More information about the linux mailing list