Want to highlight a helpful answer? Upvote!

Did someone help you, or did an answer or User Tip resolve your issue? Upvote by selecting the upvote arrow. Your feedback helps others! Learn more about when to upvote >

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: David Gordon
David Gordon Author
User level: Level 1
127 points

Set up Firewall to allow AFP from LAN & VPN only

I've worked out that I need to set up a rule which allows connection to my AFP files from my LAN and incoming VPN connections. At the moment remote users can access files via AFP over the public internet, I want them to be connected via VPN before getting to their files. (My Server has a public IP address and domain name, my router is forwarding all requests to it.)


So far in Server Admin -> Firewall -> Firewall Services I have disabled AFP under the 'any' connection. (AFP is unchecked/unticked with "Allow only traffic to these ports" selected). So no access to AFP.


Now under the 192.168-net services I have enabled AFP.


So I can now connect to my files from my LAN. Good. My assumption is that because VPN gives incoming connections a 192.168.0.1/24 address it too is on my LAN and therefore allowed connection to AFP on port 548. But not so. I can't get to my files when connected via VPN.


Just to reiterate, I can get connected to the files over AFP from either my LAN, a VPN connection or a direct AFP connection when the Firewall is set to allow all connections. So I do know the VPN etc etc are all working as expected. My aim is to prevent AFP unless its from the LAN or via VPN.


Many thanks

Posted on Apr 29, 2014 2:53 AM

Reply
2 replies
User profile for user: MrHoffman
MrHoffman
Community+ 2024
User level: Level 10
115,887 points

Apr 29, 2014 5:46 AM in response to David Gordon

Get a competent gateway-router-NAT-firewall network box. Commercial, or open source.


Make sure your router isn't actually routing this traffic — some of the routers I've encountered that do that spoof the addresses through the NAT, which means the target host sees the router's IP address as its adjacent box and not the remote users' IP address. This played havoc with one configuration, as the router happily allowed all sorts of dreck through — it's a router after all, and not a gateway-router-NAT-firewall box — and the local access rules allowed all sorts of traffic to hit the server. Badness ensued.


In general, I'd not connect OS X as a gateway-router-NAT-firewall box, as while that's possible, any mistakes and any changes and any software reconfigurations and any potential software errors leave you in deep sneakers. In my experience, OS X has never made a good NAT-router-gateway box. Apple has been removing those features for a while, or pushing them to the command line, too.


With an external gateway-router-NAT-firewall box, you're generally not reconfiguring that box very often, not upgrading that (not very often), not loading unrelated and network-connected software onto it, and generally not messing with an established configuration. Basically, the firewall box us static, and — once established — nobody's logging in and messing around with it all the time. Which if you think about it, is what happens with an OS X box that's running as a gateway — all sorts of things are happening on an OS X box, and things which can have security implications.


While it can be possible to secure a OS X box, that's more work and more care, and the care involved here is ongoing — testing some random software package or screwing up a reconfiguration that happens to introduce a vulnerability can ruin your whole day.


Introducing a similar mistake behind a locked-down firewall box is usually far less of an issue.


If you plan to use a VPN, consider a box with an embedded VPN server.


If you plan to use a VPN, get out of 192.168.0.0/24, as that subnet is used across many home and coffee shop networks, as VPNs are based on IP routing, and as IP routing doesn't appreciate finding the same subnet on both ends of the connection. Use a subnet somewhere deeper and more obscurely within 192.168.0.0/16, or better somewhere non-obvious in either 172.16.0.0/12 or 10.0.0.0/8.

Reply
User profile for user: David Gordon
David Gordon Author
User level: Level 1
127 points

Apr 30, 2014 7:19 AM in response to MrHoffman

Appreciate your advice MrHoffman.


I'm trying to use the Mac's firewall as it appeared the correct way to work with my fixed IP address. Previousy I've used the ISP supplied router to port forward (and therefore acting as firewall?) to the server. However, this is a Really Big Pain to configure and while I agree I shouldn't have to do it often I have in the past failed to have it read config files resulting in much work.


But I'll reconsider my position on that.


I've always used Mac OS X Server for VPN, I'm interested to hear why you think I shouldn't.

Reply

Set up Firewall to allow AFP from LAN & VPN only

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up