How can I restrict Mac sharing services to a specific network/adapter?

Question

I want is to set up a Mac to connect to multiple networks. So far, so good. However, I only want to grant AFP access to users on ONE of the networks, but not the other. How can I accomplish this on (non-server) Mac OS X?

This is probably an issue that comes up quite a bit in IT - you want to use the same machine as a world-facing web server and as an internal AFP (or whatever) server, but I haven't really been able to find a way to do it.

Answer 1

You can do this using the builtin ipfw firewall (it is not the default firewall in Snow Leopard, but it is still included). You can configure from the command line, the exact rule set you need depends on your other requirements, but the specific rule in question would be something like:

# allow AFP (port 548) traffic from 10net
/sbin/ipfw add allow tcp from 10.0.0/24 to any 548

# deny all other AFP traffic 
ipfw add deny tcp from any to any 548

Obviously you will need to adjust that for your specific network. Also, these rules are not persistent, which means you will need to add a script to run them commands every reboot. On the other hand, that means that if you wedge your networking while trying to come up with appropriate rules you can always just reboot to reset the stack. There are plenty of ipfw tutorials on the web (most of them are aimed at FreeBSD users, but it is the same interface).