My home network consists of an IPCOP firewall running in its own physical machine with red (internet), green (internal), blue (wireless), and now orange (externally available) zones.

My question is simply how best to mount data from the internal network on an internet-available orange server?

The long story: Inside the green zone is a D-Link DNS-323 NAS and a few virtual servers with various flavours of Linux running on a VMWare ESXi 4.1 host. The contents of the DNS323 are mounted where needed in the green network using CIFS. Most other servers share what they have using NFS as that is what I am most familiar with. This setup works but doesn't seem elegant.

The recently added orange zone contains one virtual server that I intend to use to access some parts of the green network's data from remote sites. This server is available on the internet using dyndns.com and for security reasons will share only the absolute minimum data. The data is on the DNS323, mostly read-only access is required, some limited r/w areas could be useful. The data rates will be low, performance is not such an issue as security.

The question is how best to make this private data available to an internet-visible server, retaining a high level of security? I tried mounting the DNS323 using CIFS in a green network server, then sharing some bits using NFS but that didn't seem to work. Can anyone offer any pointers about how I could best structure things? In particular mount points & techniques, firewall configuration (ports, services), and things to explicitly forbid.

I realise this is a bit OTT for a home network but I'm using this to learn about networking and gain some experience. The books 'Hardening Linux' by James Turnbull and 'Linux Firewalls' by Michael Rash cover some aspects of the topic, but mounting & network structure is a mystery.

Thanks in advance.

Who do you plan on making it available to, only yourself?

Certain times of day?

Web front end, or something else?

Thanks for your response. The main aim is for me only to have access to data on my home network when I'm working at my clients' sites. The main reason for asking the question is to try to learn how to share private data 'properly', ie. how it would be done in a professional setup. Anyone can just bodge something together and hope.

Time of day restrictions are not really necessary except to decrease the risk of unauthorised access.

I haven't really thought about the front end. At the moment I use ssh/scp/putty, which is sufficient and am reading through the various pages on securing this. Ultimately I could pick up Django or Typo3 and try something webby but that's some way off.

Well,.. the "Proper" way is to not to expose it at all to unauthorized users.

The proper way would be to set up a VPN into your network that you can get into via a small client and a key. Some firewalls support this, but more often than not they use IPsec which requires big ellaborate clients, then others use SSLvpn which can use smaller clients.

If your firewall doesnt support VPN, you can look into OpenVPN, which is the open source solution. There are many, many, many different setups that you can build to get into your data. Such as -- if you do not want to carry a small putty client and key with you, you can set up a WebGUI that will allow you access to your files -- via OpenVPN.

And there are also outofthebox solutions, such as Untangle, which uses OpenVPN.

Explaining how to do it is a bit general to do in a forum-- but searching for it will yield plenty of examples and how to's.

Hope this helps.