DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1   (View Single Post)  
Old 22nd June 2008
Oko's Avatar
Oko Oko is offline
Fsck Surgeon
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 779
Thanked 36 Times in 32 Posts
Default Remote Access to File Server

I am a hobbyist so I was wondering if you system administrators could explain me something regarding the remote access to file server.

Suppose that I want to run full blown network with the following topology

internet <--> PF1<--> DMZ<-->PF2<-- LAN zone

In which my file server as well as DNS server are in the LAN zone and completely invisible from the internet. Ideally I am thinking that PF2 rules should allow only access to people from LAN zone to internet via the Squid proxy in DMZ as well as fetching mail from the mail server which is also in DMZ
and nothing else. The PF2 blocking policy ideally should be block all.

Suppose now I am user and want to access my files on the file server in the LAN zone from my home which is outside LAN zone actually Internet on the above diagram. Of course File Serever doesn't run OpenSSH and more over PF2 would block access to it anyway. Let suppose that I put another machine in DMZ which is now my SSH gateway for files.

How can I make visible files on the FileServer to a user which is log into such
SSH gateway.
I have couple ides in mind.

One is having the second copy of files on SSH gateway machine (sort of like secondary file server) and then running remote syn from the File Server which is in LAN zone (that would of course require refining PF2 rules which will allow packages to pass into LAN zone file server after such remote sync
is initialized from the LAN zone itself).

The another scenario is to simply open SSH port on PF2 and to use Gateway
SSH machine from the DMZ to redirect the traffic to file server. In this case scenario File Server from the
LAN zone will allow SSH but only from the specific machine i DMZ zone. Nothing else.


What do you people actually do.

The above thoughts are result of my attempts to fully understand topology of the network of the University where I work.

LAN zone are of course user terminals with faculty and student accounts. Those accounts actually reside on File Server which runs NFS only visible from LAN zone. Besides File Server (NFS) that LAN zone contains DNS and Printer/Scanner servers which are invisible from the internet.

DMZ consist of Mail Server, WWW server, Squid, Snort, and I believe the machine which is dedicated SSH gateway access to accounts from outside.

Thanks a LOT
OKO


P.S. By the way all machines in the above diagram are OpenBSDs including Desktops/Terminals

Last edited by Oko; 22nd June 2008 at 06:27 PM.
Reply With Quote
 

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Remote backups server using FreeBSD, ZFS, and Rsync phoenix Guides 1 5th March 2010 12:17 AM
Setup Remote Access VPN plexter OpenBSD Security 54 4th September 2009 06:33 PM
Remote FreeBSD server upgrade - Guide! carpman Guides 8 5th April 2009 05:37 PM
Appending to file on remote host via SSH splooge Programming 10 7th June 2008 10:23 PM
Swfdec read-only file access vulnerability corey_james FreeBSD Ports and Packages 0 14th May 2008 11:31 PM


All times are GMT. The time now is 02:47 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick