Restricting the connection between two nodes

[Tomasz Maciejewski]

Is there a way to restrict the connection between two nodes, allowing
executing only specific functions (eg. only from specific "exported"
module)?

Suppose we have two nodes running one application, respectively:
private_node (eg. Mnesia with sensitive data, or a port owner) and
public_node (eg. HTTP/FTP daemon). The two nodes are connected
together and the public_node needs some data from private_node, but
private_node has some sensitive functions. Now, if someone gains
control over
public_node, he can call any function from private_node by simply
rpc:call, as well as sending arbitrary messages to processes on
private_node.

How can I protect against breaking in to Erlang by public internet
service? Is it even possible to gain access to a remote shell
(assuming cookie wasn't stolen) by some remote hole in Erlang/Inets/My
application?

With the solution of "restricring remote function calls only to
functions from specific module", I could implement public API in
private_server and be protected against gaining control over
private_server.

I will really appreciate any comments on security in Erlang.

-- 
Tomasz Maciejewski