Subject: Re: Help for a newbie
From: Bob Rogers (rogers-netatalk@rgrjr.dyndns.org)
Date: Wed Sep 20 2000 - 12:16:06 EDT
From: Steve Freitas <sflist@ihonk.com>
Date: Tue, 19 Sep 2000 12:19:24 -0700
>Problem TWO
>I wish to restrict access to one of the machines based on IP Numbers.
>This is no problem for me with samba but how do I set the config
>(which config) file to do this for netatalk? I want the
>(restricted) Macs to have guest access, but no access for any other Macs
Did you mean "no access for any other user accounts"?
I'm not sure Netatalk has this functionality. However, unless someone
else suggests something better, you might consider configuring TCP
Wrappers (the Redhat-included "firewall" software) to block access to
port 548 to all but a few IPs. This would give you what you want.
I am not well acquainted with tcp wrappers, but doesn't tcp wrappers
only apply if you are starting afpd from /etc/inetd.conf, and not the
SysV-style /etc/rc.d/init.d/atalk script? On the other hand, if you use
ipchains to block the port, then it shouldn't matter how you start the
server, because then the firewalling is done at a lower level in the
kernel.
Beyond that, it seems to me that both the ipchains and tcp wrappers
solutions would block *all* access, or none; neither could be used to
limit it to guest access. What Colin was asking for is access control
based on both IP and user ID. It seems to me that IP-based access is
usually done at the firewall level (where it is more secure), and
user-based access is done at the server login level (where it is more
versatile); I know of no technology for mixing the two levels, but if
done anywhere, it would have to be in the server, where login is
handled. Does Samba really do this? Because I have a hard time
imagining a situation where I would trust a given host (or IP range) for
some users, but not for others.
-- Bob Rogers
This archive was generated by hypermail 2b28 : Wed Jan 17 2001 - 14:32:12 EST