I need to setup a restricted external access to file shares on the network.
Thing is, there are some sensible files that require to be hidden when someone connects from the (eventual) VPN.
Setup:
Mac OS X server 10.5, up-to-date
Open Directory + Samba + Kerberos
Various windows and mac os clients, no older than XP or 10.5 as far as I've been told.
My idea, from the start, was to setup the VPN so that it will allocate IP addresses from another subnet, route the subnets together using the firewall, and block incoming access to some folders using Samba's rules, and let the system apply the relevant ACL for the remaining folders.
Is it possible to do such a thing using AFP share points, and combine all the greatness together from the potential VPN, Open Directory, and all, to prevent access from the outside? If so, how?
Best Answer
We do exactly that. VPN clients are put on a subnet which is different from the AFP servers. They must go through a router, which has the ability to block port 548. We go one step further by defining two classes on VPN users based on a pre-shared key. We can then define rules differently based on the class of VPN user.
You don't really need to block it at the router though. You could also enable the firewall in Mac OS X Server and block it there.
If you only block port 548, then Samba/CIFS will continue to work.