Binding File Sharing to a specific hardware interface?

[mattspace]

I've been trying to find a solution, and haven't had any success do far - is there a way, through built-in or third party tools, to bind file sharing to specific hardware interfaces?

For example, I have two Macs connected via ethernet to a switch, and also using common Wifi that all the devices in the location use.

I want to run a thunderbolt cable directly between them, such that they can file share to each other over that cable, but the file sharing is not available / does not even show up to devices connected to the switch, or on the Wifi.

Suggestions appreciated.

 

[willowthewisp]

I've been trying to find a solution, and haven't had any success do far - is there a way, through built-in or third party tools, to bind file sharing to specific hardware interfaces?

For example, I have two Macs connected via ethernet to a switch, and also using common Wifi that all the devices in the location use.

I want to run a thunderbolt cable directly between them, such that they can file share to each other over that cable, but the file sharing is not available / does not even show up to devices connected to the switch, or on the Wifi.

Suggestions appreciated.

Assign a private IP-Adress to each TB-port (for example 10.0.0.1 and 10.0.0.2 with a subnet adress), then mount the volume or folder by hand depending on the protocol (smb or afp) using the “connect to” menu.
This connection is then your “private” network between two computers for file sharing.

 

[mattspace]

Assign a private IP-Adress to each TB-port (for example 10.0.0.1 and 10.0.0.2 with a subnet adress), then mount the volume or folder by hand depending on the protocol (smb or afp) using the “connect to” menu.
This connection is then your “private” network between two computers for file sharing.

Right, but that wouldn't make the resources unavailable to the ethernet network, merely password denied, right? I'm looking for an option that means its physically impossible to access shared resources, unless connected via Thunderbolt - so that other devices on the network won't see the shares as available, etc.

 

[willowthewisp]

Right, but that wouldn't make the resources unavailable to the ethernet network, merely password denied, right? I'm looking for an option that means its physically impossible to access shared resources, unless connected via Thunderbolt - so that other devices on the network won't see the shares as available, etc.

Set the rights/permissions for the specific folders in the control panel, specify only one user.
Or are you looking for a hidden/unvisible folder like in the pre OS X times ?

 

[mattspace]

Set the rights/permissions for the specific folders in the control panel, specify only one user.
Or are you looking for a hidden/unvisible folder like in the pre OS X times ?

Ideally I'd want it to be impossible, even with the username and password, to access shared resources unless connected via the thunderbolt link. That's why I was hoping there was a way to bind a share to an interface, or that there might be a third party tool to implement its own custom sharing connection.

I've found quite a few people asking this question online, but no answers, unfortunately.

 

[Nguyen Duc Hieu]

Ideally I'd want it to be impossible, even with the username and password, to access shared resources unless connected via the thunderbolt link. That's why I was hoping there was a way to bind a share to an interface, or that there might be a third party tool to implement its own custom sharing connection.

I've found quite a few people asking this question online, but no answers, unfortunately.

Set up a VLAN on Mac

Use Network settings to set up a virtual local area network (VLAN) on your Mac.

support.apple.com

Mac OS trunked VLAN Command line - Mervin Praison

VLAN Tagging in Terminal Note: [VLAN-TAG] = VLAN ID Optional: Set static IP address Set default gateway Delete vlan

mer.vin

VLAN Trunking

Multiswitch broadcast domains In the previous lesson, we explained that when a broadcast frame is received on any switch port, the switch forwards it out to all its other ports. Having that in mind, if we connect two default setting switches, as shown in figure 1, any broadcast frame received by...

www.networkacademy.io

 

[mattspace]

Set up a VLAN on Mac

Use Network settings to set up a virtual local area network (VLAN) on your Mac.

support.apple.com

Mac OS trunked VLAN Command line - Mervin Praison

VLAN Tagging in Terminal Note: [VLAN-TAG] = VLAN ID Optional: Set static IP address Set default gateway Delete vlan

mer.vin

VLAN Trunking

Multiswitch broadcast domains In the previous lesson, we explained that when a broadcast frame is received on any switch port, the switch forwards it out to all its other ports. Having that in mind, if we connect two default setting switches, as shown in figure 1, any broadcast frame received by...

www.networkacademy.io

To my eye, all of those options look to be describing setting up a virtual network over the common networking infrastructure. I want to run a separate network over separate hardware, and prevent one network from seeing that sharing is enabled on the other.

I don't want the private networking to physically travel through the switches the public network is using.

 

[mattspace]

This is the network topology I want to set up:

What I want to avoid is file sharing being available, or even acknowledged as existing through the switch.

 

[Nguyen Duc Hieu]

This is the network topology I want to set up:

View attachment 2372996

What I want to avoid is file sharing being available, or even acknowledged as existing through the switch.

Trunked VLAN is one of the solution.
The links I post were just suggestions for you to research more and execute to serve your specific needs. You already have the hardware available, how to setup the VLAN is up to you.

If you don't want to do your own research and study, the only solution left is hiring a network specialist to do the job.
The IT guys in my company can do that. He setup a private network, with private leased line via a separate router to connect to a remote server to submit FATCA report. All from a single LAN port on my laptop.
If he can do that, then so can another IT expert, same network hardware or separate network hardware is not the issue with the expert.

 

[mattspace]

Trunked VLAN is one of the solution.
The links I post were just suggestions for you to research more and execute to serve your specific needs. You already have the hardware available, how to setup the VLAN is up to you.

Right, but none of the examples I saw in the links you posted described what I want to do - they all seemed to rely on a thing I'm specifically trying to avoid - shared network infrastructure between private and non-private networks.

If you don't want to do your own research and study, the only solution left is hiring a network specialist to do the job.

That's why I'm asking here, to find out what I need to research further - if it can't be easily explained in terms of how I set it up for the network diagram I have, then it's unlikely to be explained in a way I can find myself.

All from a single LAN port on my laptop.

This is literally the opposite of what I want to do - I want to run two independent networks from two different ports on the machines, and have file sharing only enabled on one of them.

 

[Nguyen Duc Hieu]

I didn't suggest you an example, just a hint for you to research more.
Probably you are the first one to think about it.
I guess no one ever thought of doing it before.
Simply because if it can be done on 1 physical network interface, then I can't see why it will not be done on 2.

If you want to explain to a network technician about your request, then check my description below if it can be used with your diagram.
2 machine Mac A and Mac B, both has 2 LAN interface (normal LAN and Thunderbolt)
Both will be online 24/7; Both can be used by human at anytime of the day.
Mac A is used as workstation (A1) and file server (A2) at the same time.
File server A2 can only be seen by Mac B. Extra login ID and password needed for user on Mac B to log in and access file server A2.
(This is the hard part for novice users, probably need to change mindset)
Mac A1 still can access the file on the files server A2 as a local file. (Probably it would be easier if considering it as a small network with file server A2, 2 workstation A1 and B instead of thinking A1 to access the files as a local machine)

 

[cqexbesd]

I've been trying to find a solution, and haven't had any success do far - is there a way, through built-in or third party tools, to bind file sharing to specific hardware interfaces?

You have two main choices. Either get the server to bind to just one interface, or use a firewall to stop it receiving packets from other interfaces.

I don’t know if the built in SMB server in OSX allows you to configure which interface to listen on or not. If it does then it is probably by giving it the IP to bind to - just give it the IP you have to your thunderbolt interface.

Using a firewall would also work. Just denying incoming packets on all interfaces bar thunderbolt on TCP port 137 and maybe an extra one (you need to confirm that). That would prevent a file sharing session establishing.

Hopefully that gives you something to Google.

 

[svenmany]

If your goal is to completely isolate Mac 1 and Mac 2, giving them only access to each other and the internet, then a simple solution is using VLANs. You'd just get a switch that supports it. My network switch has 4 VLANs set up to isolate traffic at different levels of risk.

However, if you only want to limit file sharing but support other kinds of connectivity between the Mac computers and the other devices, then VLANs by themselves won't be enough.

It's a shame, but macOS doesn't use Samba for its smb implementation; Samba is so well documented. The "bind interfaces only" global parameter would do just what you want. However, the nsmb.conf man page on macOS does list an "addr" parameter. As usual, macOS is quite pathetic with its man page on giving thorough explanations. Perhaps you should play with that parameter and see if it does what you want. It's listed as a server level parameter

addr = "DNS name or IP address of server"

Personally I'd go the firewall route. I don't mean the macOS application level firewall that is controlled in System Settings. I mean the packet-level firewall that's also built into the OS. I would use Murus Firewall (https://www.murusfirewall.com/), which makes it very easy to configure it. Murus is not the firewall, just a tool that helps you configure it. I think it's a beautiful product. If you decide to go this route, I or maybe others on this thread would be happy to help you configure it. I just refreshed my memory on it, and it seems trivial to satisfy this exact use case. I do use Murus Pro, but I suspect the free version, Murus Lite, would be configured identically.

 

[mattspace]

If your goal is to completely isolate Mac 1 and Mac 2, giving them only access to each other and the internet, then a simple solution is using VLANs. You'd just get a switch that supports it. My network switch has 4 VLANs set up to isolate traffic at different levels of risk.

The specific goal is to have file sharing between the two macs occur on a hardware infrastructure (direct point-to-point thunderbolt cable) that is not shared by any other devices, and for the macs to be unable to conduct that sharing over the shared hardware infrastructure (ethernet).

That's the one, only and specific goal.

 

[svenmany]

The specific goal is to have file sharing between the two macs occur on a hardware infrastructure (direct point-to-point thunderbolt cable) that is not shared by any other devices, and for the macs to be unable to conduct that sharing over the shared hardware infrastructure (ethernet).

That's the one, only and specific goal.

So, unable to conduct "that sharing" through the switch, but able to do other types of sharing. For example, doing airplay from Mac 1 to your Apple TV. VLANs won't help you if you want that. Both the Mac and the Apple TV switch-side interfaces would need to be on the same VLAN for the airplay to work and that same VLAN would therefore allow the smb traffic. Perhaps @Nguyen Duc Hieu can shed some light on something I'm missing.

You need to find a way to prevent smb traffic on the switch interfaces of the two Mac computers. Just as @cqexbesd said, either ensure that the smb servers are not binding to those interfaces or prevent the smb traffic with a firewall. Your opening post asked about how to do the first one. Have you tried altering the settings in /etc/nsmb.conf to do that? Have you run "man nsmb.conf" and read that manual page? I have no idea if you'll have any luck with that. I trust Apple to sabotage most efforts to do something they didn't anticipate the average user would need. I don't know of any third-party tools that can help with this.

I do know that the built-in packet-level firewall approach is a trivial solution and Murus makes it easy to configure.

I don't know how to work with the more well-known application-level firewall of macOS to prevent the smb process from listening on a particular interface.

I have a license to Little Snitch. I don't see how it can help. You can limit the smbd process from accepting traffic "from" particular addresses, not "to" a particular addresses.

The makers of Murus also have an application level firewall called Vallum. I think it can do what's needed. I do have a license for it since I bought it together with Murus, but I don't have it installed. Consider https://help.vallumfirewall.com/index.php?chapter=ruleformat, where it shows that it can block by target address. It's kind of the same approach as a packet-level firewall except that the rule is for the listening process rather than just interfaces and ports.

 

[mattspace]

So, unable to conduct "that sharing" through the switch, but able to do other types of sharing. For example, doing airplay from Mac 1 to your Apple TV.

Pretty much - I'm happy to push content out over ethernet / wifi, I just don't want anything reaching in, or even having the possibility of reaching in.

For example if the thunderbolt connection goes squirrelly, I don't want to find out the machines have reconnected to each other over ethernet etc.

Ideally I was looking for a graphical tool to do it, hence as to whether there's a 3rd party app to configure the more obscure settings if they existed on the system, the way web server prefpanes used to configure the built in Apache.

 

[svenmany]

Pretty much - I'm happy to push content out over ethernet / wifi, I just don't want anything reaching in, or even having the possibility of reaching in.

For example if the thunderbolt connection goes squirrelly, I don't want to find out the machines have reconnected to each other over ethernet etc.

Ideally I was looking for a graphical tool to do it, hence as to whether there's a 3rd party app to configure the more obscure settings if they existed on the system, the way web server prefpanes used to configure the built in Apache.

That's slightly more restrictions to the Mac computers than I thought you wanted. For example, you might have wanted to allow your iPhone to Airplay to your Mac. But, if you want no ingress at all to your Mac computers (nothing "reaching in"), then the packet-filter is the way to go.

Murus is a graphical tool that would allow you to set this up.

The original thing you asked for, a way to have the smb server bind to just the thunderbolt interfaces, would not have protected your Mac computers from other things "reaching in" that are not smb traffic.