>Let us stop with the NFS now.  That is really just a blind alley - who
>in their right mind is running NFS on a firewall/router or similar?

Me.  Sort of - the firewall bastions have no kernel NFS capability but
run a user space NFS daemon (from inetd so no portmap) with SSL 
as transport - mounts authenticated by X.509 cers etc.  Very handy for
a bastion deep within the complex to be able to audit (and even backup 
logs etc) the filesysems of the exposed bastions.  Performance sucks of 
course - but that's not a major issue.

But in general, yes NFS and secure systems don't mix.
--sjg