Set up Firewall to allow AFP from LAN & VPN only
I've worked out that I need to set up a rule which allows connection to my AFP files from my LAN and incoming VPN connections. At the moment remote users can access files via AFP over the public internet, I want them to be connected via VPN before getting to their files. (My Server has a public IP address and domain name, my router is forwarding all requests to it.)
So far in Server Admin -> Firewall -> Firewall Services I have disabled AFP under the 'any' connection. (AFP is unchecked/unticked with "Allow only traffic to these ports" selected). So no access to AFP.
Now under the 192.168-net services I have enabled AFP.
So I can now connect to my files from my LAN. Good. My assumption is that because VPN gives incoming connections a 192.168.0.1/24 address it too is on my LAN and therefore allowed connection to AFP on port 548. But not so. I can't get to my files when connected via VPN.
Just to reiterate, I can get connected to the files over AFP from either my LAN, a VPN connection or a direct AFP connection when the Firewall is set to allow all connections. So I do know the VPN etc etc are all working as expected. My aim is to prevent AFP unless its from the LAN or via VPN.
Many thanks