1

I need to setup a restricted external access to file shares on the network.

Thing is, there are some sensible files that require to be hidden when someone connects from the (eventual) VPN.

Setup:

Mac OS X server 10.5, up-to-date Open Directory + Samba + Kerberos Various windows and mac os clients, no older than XP or 10.5 as far as I've been told.

My idea, from the start, was to setup the VPN so that it will allocate IP addresses from another subnet, route the subnets together using the firewall, and block incoming access to some folders using Samba's rules, and let the system apply the relevant ACL for the remaining folders.

Is it possible to do such a thing using AFP share points, and combine all the greatness together from the potential VPN, Open Directory, and all, to prevent access from the outside? If so, how?

Olivier Tremblay
  • 347
  • 3
  • 16
  • The idea slightly matured as to downright forbid access to AFP from the VPN IP range, forcing outsiders to fallback to SMB... Any good you think? – Olivier Tremblay Dec 22 '09 at 20:07

2 Answers2

1

We do exactly that. VPN clients are put on a subnet which is different from the AFP servers. They must go through a router, which has the ability to block port 548. We go one step further by defining two classes on VPN users based on a pre-shared key. We can then define rules differently based on the class of VPN user.

You don't really need to block it at the router though. You could also enable the firewall in Mac OS X Server and block it there.

If you only block port 548, then Samba/CIFS will continue to work.

lukecyca
  • 2,205
  • 13
  • 20
0

If your VPN clients are on a different subnet to your LAN clients you should be able to use the built in Server Firewall to restrict AFP (port 548) access to the LAN subnet.

mrowell
  • 326
  • 1
  • 4