From owner-freebsd-questions@FreeBSD.ORG Wed Apr 25 11:12:24 2007 Return-Path: X-Original-To: questions@freebsd.org Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8EC6716A406 for ; Wed, 25 Apr 2007 11:12:24 +0000 (UTC) (envelope-from tedm@toybox.placo.com) Received: from mail.freebsd-corp-net-guide.com (mail.web-strider.com [65.75.192.90]) by mx1.freebsd.org (Postfix) with ESMTP id 344AB13C44C for ; Wed, 25 Apr 2007 11:12:23 +0000 (UTC) (envelope-from tedm@toybox.placo.com) Received: from TEDSDESK (nat-rtr.freebsd-corp-net-guide.com [65.75.197.130]) by mail.freebsd-corp-net-guide.com (8.13.8/8.13.8) with SMTP id l3PAXRZA021620; Wed, 25 Apr 2007 03:33:28 -0700 (PDT) (envelope-from tedm@toybox.placo.com) From: "Ted Mittelstaedt" To: "Rico Secada" , Date: Wed, 25 Apr 2007 03:34:36 -0700 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) In-Reply-To: <20070423194730.482ca62b.coolzone@it.dk> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1896 Importance: Normal X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0 (mail.freebsd-corp-net-guide.com [65.75.192.90]); Wed, 25 Apr 2007 03:33:29 -0700 (PDT) Cc: Subject: RE: Help needed with server setup at work X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Apr 2007 11:12:24 -0000 > -----Original Message----- > From: owner-freebsd-questions@freebsd.org > [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Rico Secada > Sent: Monday, April 23, 2007 10:48 AM > To: questions@freebsd.org > Subject: Help needed with server setup at work > > > Hi. > > At work we have a bunch of NFS servers. The servers provide the > home directories for all the employees client machines. > > Most of the employees mount their home dirs manually, but some > are mounted using scripts. Employee John knows he belongs to NFS > server 1, and emplyoee Britney knows she belongs to NFS server 3 > and so on. > > Now due to new conditions Without saying what these new conditions are, you aren't giving much that anyone can give advice on. > I have to set up a new system from > which ALL employees are able to mount their home directories from > their homes (where they live). Since I only have one IP address > at my disposal, I need to set up some kind of union system in > which all home directories apear as they live on just one server. > Besides that I have to figure out what kind of security I need to > use. I have been thinking about AFS. > > About the union thing I first thought of somehow union mouting > all the different home directories on a single machine which then > serves as the access point, but I am affraid if that particular > machine crashes, then no one can get to their files. > Your going about it in exactly the wrong way and in a very insecure manner, in my opinion. If you have a situation going where the building that all these employees are working in that contains them, their workstations, and their servers, is going to be vacated, such as a kind of virtual company scenario, then ASSUMING that the employees ALL have high-speed connectivity (DSL, Cable, or whatever) of at least a megabit, then the safest and most trouble-free way of doing it is to have ALL employees setup with their ISP's to have static IP addresses, amd then put hardware VPN firewalls at each employee's home and setup dedicated lan2lan VPNs that are permanently up all of the time. Linksys sells a very nice VPN firewall, the RV042, that is fantastic for this job. This will allow you to manage all employee computers just as if they were all in the now-missing building. This is particularly important as you can install patches, monitor for intrusion attempts, etc. It also moves the ickyness of the VPN client software away from the employees computer, simplifying that system. At the central hub where all the servers remain, you can easily setup a firewall that only allows VPNs in from the designated remote IP addresses. If however the need is for only periodic access, then investigate a remote control solution. I would recommend setting up a bastion host that is on your single public IP address, and a VNC server on it. Employees can use one of many VNC clients (there's even one for palm OS I belive) and go from their homes to the bastion host, then from the bastion host, xterm to their desktop systems. Putting a union NFS server up is just asking for trouble, particularly if you aren't restricting access to it via IP address. Ted