A 8: IP configuration - Reference Part
AppleShare IP offers some new features that are quite useful for your EtherShare UNIX-Macintosh network. In the following, we give you a rather short summary of configurations we recommend when using TCP/IP.
Access
control via
addresses and domains
(under UNIX)
IP access configuration can be performed on a Macintosh using the EtherShare Admin program or under UNIX using an editor such as vi. The "Macintosh solution" is much easier and more convenient - it is described in chapter
5.13.8. Before proceeding with this paragraph, please read
"About defaults" in chapter
5.13.8 "IP Access".
If you configure IP access under UNIX, you have to change the "afpipaccess" configuration file. This does not require stop/start-atalk. EtherShare will read the configuration file on every login.
The script "$ESDIR/etc/mkipaccess" will create an initial configuration file in "$ESDIR/conf/afpipaccess", allowing access to clients on the same network segment only. This file may contain the following statements:
allow ipaddr/mask
deny ipaddr/mask
allowdomain do.main
denydomain do.main
If the file is empty - or not present at all - access is allowed (this corresponds to
The IP Address 0.0.0.0 with the mask 0.0.0.0 matches any address, it is thus a good idea to use the statement:
as the last line in the access file and only explicitly allow access to selected networks or IP numbers. You can grant access to the class C net 192.9.200 only using the following statements:
allow 192.9.200.0/255.255.255.0
The mask (255.255.255.0 in the example) specifies the significant bits that are to be compared against the IP number. If the mask is not specified, it is assumed to be 255.255.255.255, meaning that it will match the number exactly. The example:
will thus allow access to a single machine only, namely to 192.9.200.1.
The IP address can also be specified as a normal host name, it must then be resolvable through the configured name service, e.g. DNS or NIS. If DNS or NIS is properly configured to resolve host names, you can also use domain-based access controls.
will deny access to any IP number that resolves to a host name that ends with the domain hacker.com. The
allowdomain statement works the other way round:
would allow access to any machine that uses an IP address that resolves to a host name ending in company.com.
The domain-based access controls do cause a reverse lookup for the host name of every IP address that is used to connect to the server. If you use any IP addresses that do not have reverse mapping, timeouts might occur that slow down establishing a connection to the server. Please note that anybody who owns the reverse mapping of a set of IP addresses can specify arbitrary domains in his reverse DNS mapping, not only his own domains.
Access
control via port number
(Firewalls)
AFP over TCP uses connections to port 548. The port can be changed by specifying the "afpport" parameter in "atalk.conf":
would use port 1024 instead. For successful connections, the port number on the client side must be changed accordingly. This can be done by either specifying
hostname:port in the dialog that lets you enter an IP number or by using the "AppleShare Client Setup" tool:
(
http://www.apple.com/appleshareip/)
Figure
A-27 shows the user interface of this setup tool - the
Default TCP Port is set to 1024.
Fig. A-27: Setting up a default TCP port on a Macintosh
|
|
Configuring message
delivery
The above-mentioned "AppleShare Client Setup" tool is also very useful for defining timeouts for server messages. You can induce your Macintosh to close specific message dialogs automatically after a given period of time. This can be sensible, because otherwise all processes that are running on your computer will be stopped until
you close the message window. Figure
A-28 shows an example configuration. The settings are always valid for one client only.
Fig. A-28: AppleShare settings for incoming server messages
|
|
Learn more about the
AppleShare Client Setup
As far as the other dialogs of the "AppleShare Client Setup" tool are concerned, we recommend to keep the default settings. For specific questions you may refer to Apple's online documentation. Please note, that for some configurations, you have to specify the respective parameter on both platforms, the Macintosh and the UNIX server.
New EtherShare
parameter for volume
modification checking
AFP 2.2 specifies the use of server notifications that avoid the client polling for changes on volumes. By default, the server checks for volume changes every ten seconds and notifies clients accordingly. This is similar to previous AFP versions where the client did poll every 10 seconds. If you have very busy volumes that change all the time, however, you may wish to specify another interval. With EtherShare 2.6 you can configure the respective parameter on the server in "atalk.conf". For example:
afpsrv: volcheckinterval=60
The above command will induce the server to check every minute for volume changes, which reduces the volume status traffic to one sixth compared to previous AFP versions. Please note that clients using workstation software older than 3.7 will continue to poll every 10 seconds.
Note: Changes to "afpsrv" require stop-atalk and then again start-atalk.
Additional
information about
AppleShare IP
IP access to the server can also be switched off completely - if necessary. You can use the
noip parameter to deny the mounting of volumes via TCP/IP:
The number of AppleTalk sockets is still limited to 250. If you now use AppleShare IP connections for mounting EtherShare volumes, you have the 250 sockets available for pap (printers) and adsp (terminal, mail) connections.
