View Single Post
  #1   (View Single Post)  
Old 22nd June 2008
Oko's Avatar
Oko Oko is offline
Rc.conf Instructor
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 1,102
Default Remote Access to File Server

I am a hobbyist so I was wondering if you system administrators could explain me something regarding the remote access to file server.

Suppose that I want to run full blown network with the following topology

internet <--> PF1<--> DMZ<-->PF2<-- LAN zone

In which my file server as well as DNS server are in the LAN zone and completely invisible from the internet. Ideally I am thinking that PF2 rules should allow only access to people from LAN zone to internet via the Squid proxy in DMZ as well as fetching mail from the mail server which is also in DMZ
and nothing else. The PF2 blocking policy ideally should be block all.

Suppose now I am user and want to access my files on the file server in the LAN zone from my home which is outside LAN zone actually Internet on the above diagram. Of course File Serever doesn't run OpenSSH and more over PF2 would block access to it anyway. Let suppose that I put another machine in DMZ which is now my SSH gateway for files.

How can I make visible files on the FileServer to a user which is log into such
SSH gateway.
I have couple ides in mind.

One is having the second copy of files on SSH gateway machine (sort of like secondary file server) and then running remote syn from the File Server which is in LAN zone (that would of course require refining PF2 rules which will allow packages to pass into LAN zone file server after such remote sync
is initialized from the LAN zone itself).

The another scenario is to simply open SSH port on PF2 and to use Gateway
SSH machine from the DMZ to redirect the traffic to file server. In this case scenario File Server from the
LAN zone will allow SSH but only from the specific machine i DMZ zone. Nothing else.


What do you people actually do.

The above thoughts are result of my attempts to fully understand topology of the network of the University where I work.

LAN zone are of course user terminals with faculty and student accounts. Those accounts actually reside on File Server which runs NFS only visible from LAN zone. Besides File Server (NFS) that LAN zone contains DNS and Printer/Scanner servers which are invisible from the internet.

DMZ consist of Mail Server, WWW server, Squid, Snort, and I believe the machine which is dedicated SSH gateway access to accounts from outside.

Thanks a LOT
OKO


P.S. By the way all machines in the above diagram are OpenBSDs including Desktops/Terminals

Last edited by Oko; 22nd June 2008 at 06:27 PM.
Reply With Quote