By default, the server accepts connections from all known TCP/IP interfaces. When a client browses the network for an AFP server, it will respond with a list of all known server TCP/IP addresses.
Sometimes it may be required to hide some interfaces or TCP/IP addresses. This can be done via the ipaddress preference, which is described in 9.1 “AFP server preference keys”.
In addition, a TCP/IP access list allows limiting incoming connections from a list of specified TCP/IP addresses. See ipaccess in 9.1 “AFP server preference keys”.
HELIOS products include many different services which can be accessed very easily for intranet usage. For using the HELIOS services on both the intranet and internet, additional security considerations must be taken into account, e.g. you do not want everyone launching OPI layout image generation by issuing commands on the “opisrv” telnet port. Another problem is that not all volumes should be available for internet users. And you certainly do not want unauthorized internet users printing to your server printer queues. Making the main server accessible from the internet bears a major problem: due to the variety of different services running on the server it is possible that there is still a way for hackers to find some services which they can use to break into your system. If you need a 100% warranty that your system is secure you probably need to decide to run a local intranet only, and have no gateway services to or from the internet.
In addition to the HELIOS services, UNIX includes many
services, NFS, telnet, ftp, rlogin, etc. A simple way to
verify active services is the netstat -a | grep -i listen
command. One option to bring some services into the internet
is to use two network adapters, one for the intranet and
a second for the internet, e.g.:
le0 172.16.0.1 Intranet network le1 193.141.98.37 Internet network
UNIX IP routing/forwarding is not required and should be turned off between these two networks.
The best solution to disable all HELIOS services for connections from the internet is to turn all HELIOS services off for the internet 193.141.98.x network by using the HELIOS TCP/IP access list feature, which can be managed from HELIOS Admin or by using a UNIX text editor. A sample configuration of “HELIOSDIR/var/conf/ipaccess” is:
allow 172.16.0.0/255.255.0.0 #Intranet Network deny 0.0.0.0/0
This configuration will basically deny all access from the
internet with the exception of the 172.16.x.x
network, which can use the HELIOS services.
One sample configuration is to allow internet access for one
AFP server volume but deny it for all other volumes. First it
is required to allow the “afpsrv” process to accept connections
from the internet. This can be done in HELIOS Admin,
Settings > Server Settings
by selecting DEFAULT
from the pop-up menu in the Mac
tab, and edit this file according
to your needs.
Then, access on a per volume basis can be configured in the volume settings
(<volume name>
> IP Access
) by selecting the
desired access list from the pop-up menu (see Fig. 4.1).
A description of how to edit the IP access file or set up new ones, is given in the HELIOS Base manual.