EtherShare G8 User manual (Version 7.0.0)  
 

4 TCP/IP configuration

4.1 AFP server access

By default, the server accepts connections from all known TCP/IP interfaces. When a client browses the network for an AFP server, it will respond with a list of all known server TCP/IP addresses.

Sometimes it may be required to hide some interfaces or TCP/IP addresses. This can be done via the ipaddress preference, which is described in 9.1 “AFP server preference keys”.

In addition, a TCP/IP access list allows limiting incoming connections from a list of specified TCP/IP addresses. See ipaccess in 9.1 “AFP server preference keys”.

4.2 IP access list

HELIOS products include many different services which can be accessed very easily for intranet usage. For using the HELIOS services on both the intranet and internet, additional security considerations must be taken into account, e.g. you do not want everyone launching OPI layout image generation by issuing commands on the “opisrv” telnet port. Another problem is that not all volumes should be available for internet users. And you certainly do not want unauthorized internet users printing to your server printer queues. Making the main server accessible from the internet bears a major problem: due to the variety of different services running on the server it is possible that there is still a way for hackers to find some services which they can use to break into your system. If you need a 100% warranty that your system is secure you probably need to decide to run a local intranet only, and have no gateway services to or from the internet.

In addition to the HELIOS services, UNIX includes many services, NFS, telnet, ftp, rlogin, etc. A simple way to verify active services is the netstat -a | grep -i listen command. One option to bring some services into the internet is to use two network adapters, one for the intranet and a second for the internet, e.g.:

le0     172.16.0.1      Intranet network 
le1     193.141.98.37   Internet network
Note:

UNIX IP routing/forwarding is not required and should be turned off between these two networks.

The best solution to disable all HELIOS services for connections from the internet is to turn all HELIOS services off for the internet 193.141.98.x network by using the HELIOS TCP/IP access list feature, which can be managed from HELIOS Admin or by using a UNIX text editor. A sample configuration of “HELIOSDIR/var/conf/ipaccess” is:

allow 172.16.0.0/255.255.0.0        #Intranet Network 
deny 0.0.0.0/0

This configuration will basically deny all access from the internet with the exception of the 172.16.x.x network, which can use the HELIOS services.

4.2.1 Volume access list

One sample configuration is to allow internet access for one AFP server volume but deny it for all other volumes. First it is required to allow the “afpsrv” process to accept connections from the internet. This can be done in HELIOS Admin, Settings > Server Settings by selecting DEFAULT from the pop-up menu in the Mac tab, and edit this file according to your needs.

Then, access on a per volume basis can be configured in the volume settings (<volume name> > IP Access) by selecting the desired access list from the pop-up menu (see Fig. 4.1).

A description of how to edit the IP access file or set up new ones, is given in the HELIOS Base manual.

Volume <code>IP Access</code>

Fig. 4.1: Volume IP Access


HELIOS Website © 2020 HELIOS Software GmbH  
HELIOS Manuals September 10, 2020