 |  |  |  |  |  |  |  |
Configuring mac's built-in firewall
 |
•
•
Join Date: Feb 2002
Posts: 12,036
Reputation: 
Solved Threads: 128
Hopefully there is a way to do this. But basically, I would like to use Panther's built-in firewall. It works perfectly, except I would like the other computers on my home network to be able to always go through the firewall, and have firewall rules only apply to machines outside the subnet. The reason for this is because there is only one network adapter and the outside world sees it through a cable modem, and I am also using it to share the cable connection with the other machines on my home network. Hopefully that made some twisted kinda sense. Thanks!
Just to reiterate, I want to set up my firewall so that SSH is open to everyone, but CUPS is only open to the other machines on my network, and Internet Connection Sharing is open to the other machines on my network
Just to reiterate, I want to set up my firewall so that SSH is open to everyone, but CUPS is only open to the other machines on my network, and Internet Connection Sharing is open to the other machines on my network
Hello,
I will need to see if OS X will obey the standard UNIX / Linux firewalling commands (iptables / ipchains / ifwdm?) If so, you should be able to write rules (yeah, probably by hand, but that is what the keyboard is for!)
I think you have a flaw in your network idea though. You mention sharing the cable modem, and that implies that you want to do network address translation (NAT) or something that we call routing. You cannot route over a single interface. That doesn't work.
I'd like to see a network diagram of what you are proposing to do. Please draw up something in ASCII art, or plop a quick attachment and draw out what you are trying to do. Something about a Picture == 1000 words.
Christian
I will need to see if OS X will obey the standard UNIX / Linux firewalling commands (iptables / ipchains / ifwdm?) If so, you should be able to write rules (yeah, probably by hand, but that is what the keyboard is for!)
I think you have a flaw in your network idea though. You mention sharing the cable modem, and that implies that you want to do network address translation (NAT) or something that we call routing. You cannot route over a single interface. That doesn't work.
I'd like to see a network diagram of what you are proposing to do. Please draw up something in ASCII art, or plop a quick attachment and draw out what you are trying to do. Something about a Picture == 1000 words.
Christian
•
•
Join Date: Feb 2002
Posts: 12,036
Reputation:
Solved Threads: 128
OK, here's what I am doing ...
physical layout =
cable modem -> gigabit switch -> mac and windows machines both connected to ports on the switch, each with a gigabit nic card
so in other words, there is a gigabit switch, with 3 ports used up ... one going to the cable modem, one going to the mac, and one going to the windows machine
..........
The mac is set up to grab an IP via DHCP, and it therefore finds that it can grab an IP from the cable modem, and it does so ... therefore giving the mac internet access with an IP in the range of 24.x.x.x
The mac is also set up to share its internet access. It therefore binds a second IP address, 192.168.2.1, to the same one ethernet port as it is using for the cable modem.
The windows machine is also set up to grab internet access via DHCP. There is no reason to explicitely state to use 192.168.2.1 as a gateway since the cable modem is only willing to hand out one IP, and the mac has it already. Therefore, 192.168.2.1 is the only place to get an IP from. The windows machine therefore becomes 192.168.2.2
Now, everyone has an IP and everyone is happy. However, the mac also runs CUPS, Samba, FTP, and SSH. I want everyone globally to be able to access FTP and SSH. But of course I only want the two 192.168.2.* machines to be able to access CUPS and Samba.
But now the problem that I am having is that the 24.* IP and the 192.168.2.1 IP, are both connected to the same interface. It is no problem for me to block those services with a firewall. However the problem is that I'm not sure how to write a chain rule to distinguish IPs from eachother, which are both binded to the same network port.
I am familiar with iptables but the mac uses ipfw, which I have no experience with.
physical layout =
cable modem -> gigabit switch -> mac and windows machines both connected to ports on the switch, each with a gigabit nic card
so in other words, there is a gigabit switch, with 3 ports used up ... one going to the cable modem, one going to the mac, and one going to the windows machine
..........
The mac is set up to grab an IP via DHCP, and it therefore finds that it can grab an IP from the cable modem, and it does so ... therefore giving the mac internet access with an IP in the range of 24.x.x.x
The mac is also set up to share its internet access. It therefore binds a second IP address, 192.168.2.1, to the same one ethernet port as it is using for the cable modem.
The windows machine is also set up to grab internet access via DHCP. There is no reason to explicitely state to use 192.168.2.1 as a gateway since the cable modem is only willing to hand out one IP, and the mac has it already. Therefore, 192.168.2.1 is the only place to get an IP from. The windows machine therefore becomes 192.168.2.2
Now, everyone has an IP and everyone is happy. However, the mac also runs CUPS, Samba, FTP, and SSH. I want everyone globally to be able to access FTP and SSH. But of course I only want the two 192.168.2.* machines to be able to access CUPS and Samba.
But now the problem that I am having is that the 24.* IP and the 192.168.2.1 IP, are both connected to the same interface. It is no problem for me to block those services with a firewall. However the problem is that I'm not sure how to write a chain rule to distinguish IPs from eachother, which are both binded to the same network port.
I am familiar with iptables but the mac uses ipfw, which I have no experience with.
Hello,
I see two solutions here.
1) Replace the switch with a router. This will allow your router's input port to take the 24.x address, and will allow the output to be on 192.x network. If you are going to take this approach, then I would go after a wireless router, as if there is a laptop in your future, make the investment now, and simply disable the RF portion of the network. I suggest the wireless router from Buffalo Technologies. I avoid Linksys.
By doing this, you are setting up NAT, and have a clean networking environment. The router will handle NAT, so that you can turn on / off your machines without one relying on the other.
You will need to setup some port forwarding on the router, so that SSH, web, and other Packets reach the proper computer. Matter of fact, you could have two ports: 10022 and 10023 both listening to ssh.... one goes to the Mac, the other to your Windoze box.
2) You can insert a second NIC into your G5 computer, and run one NIC on 24.x and the other NIC on 192.x Treat the first NIC as an untrusted device, and firewall it. Treat the second nic as a trusted device, and let it flow.
3) Build a cheap linux server and put that between your cable modem and the switch. Run IPTABLES there. Host your private website there. Route from there.
I think real world applications would strive for #1.
I am surprised that you got two IP numbers to work on the single card. In my 9+ years of computer industry service, I have NEVER seen two IP numbers on the same network card. I would really avoid it. I have seen multiple Netware protocols (Ethernet_II, Ethernet_802.2) bound together, but that is not IP.
Christian
I see two solutions here.
1) Replace the switch with a router. This will allow your router's input port to take the 24.x address, and will allow the output to be on 192.x network. If you are going to take this approach, then I would go after a wireless router, as if there is a laptop in your future, make the investment now, and simply disable the RF portion of the network. I suggest the wireless router from Buffalo Technologies. I avoid Linksys.
By doing this, you are setting up NAT, and have a clean networking environment. The router will handle NAT, so that you can turn on / off your machines without one relying on the other.
You will need to setup some port forwarding on the router, so that SSH, web, and other Packets reach the proper computer. Matter of fact, you could have two ports: 10022 and 10023 both listening to ssh.... one goes to the Mac, the other to your Windoze box.
2) You can insert a second NIC into your G5 computer, and run one NIC on 24.x and the other NIC on 192.x Treat the first NIC as an untrusted device, and firewall it. Treat the second nic as a trusted device, and let it flow.
3) Build a cheap linux server and put that between your cable modem and the switch. Run IPTABLES there. Host your private website there. Route from there.
I think real world applications would strive for #1.
I am surprised that you got two IP numbers to work on the single card. In my 9+ years of computer industry service, I have NEVER seen two IP numbers on the same network card. I would really avoid it. I have seen multiple Netware protocols (Ethernet_II, Ethernet_802.2) bound together, but that is not IP.
Christian
•
•
Join Date: Feb 2002
Posts: 12,036
Reputation:
Solved Threads: 128
Option #1 is what I have always done. I always had a linksys router that went between the cable modem and the switch. However, I was having problems with it, and just yesterday decided to ditch the router. Hence causing my machine to be wide open. 
Even with multiple nic cards in the mac, from what I am seeing, the Mac OS X firewall can only be turned on / off systemwide, without manually editing ipfw. I have stumbled upon a program called BrickHouse, however, so I might give that a try.
Even with multiple nic cards in the mac, from what I am seeing, the Mac OS X firewall can only be turned on / off systemwide, without manually editing ipfw. I have stumbled upon a program called BrickHouse, however, so I might give that a try.
Hello,
I found a few firewall products for the Mac:
http://personalpages.tds.net/~brian_hill/brickhouse.html
http://www.sunprotectingfactory.com/sunShield/shield_news.html
http://www.intego.com/netbarrier/
You can give them a try and see how they work.
I still do not like the idea of one NIC having two IP addresses assigned to it.
Christian
I found a few firewall products for the Mac:
http://personalpages.tds.net/~brian_hill/brickhouse.html
http://www.sunprotectingfactory.com/sunShield/shield_news.html
http://www.intego.com/netbarrier/
You can give them a try and see how they work.
I still do not like the idea of one NIC having two IP addresses assigned to it.
Christian
•
•
Join Date: Feb 2002
Posts: 12,036
Reputation:
Solved Threads: 128
Two IPs assigned to one nic was actually an exercise I remember doing in my TCP/IP networking course last semester.
I still do not like the idea of two IP numbers on the NIC. Really messes up routing and other things, like subnetting and collisions and sorts. Ugly.
Be nice, and kindly clean up your network. You mentioned that you were having problems with the router device. What was going wrong?
Christian
Be nice, and kindly clean up your network. You mentioned that you were having problems with the router device. What was going wrong?
Christian
It should be noted that SunShield and BrickHOuse are just GUIfied front-ends for ipfw. While NetBarrier is a completely separate firewall product.
If you wish to learn to control ipfw by hand (err.. CLI), this is the place to start:
http://www3.sympatico.ca/dccote/firewall.html
If you wish to learn to control ipfw by hand (err.. CLI), this is the place to start:
http://www3.sympatico.ca/dccote/firewall.html
Well, a little while ago last year I set up internet sharing with my Palm
but anyway this is what I did
[code]
# Turn on ip forwalding
sudo /usr/sbin/sysctl -w net.inet.ip.forwarding=1
# Denys incoming via en0 (you prolly don't want this since you only have one card)
sudo /usr/sbin/natd -same_ports -use_sockets -log -deny_incoming -interface en0
# Use network address translation from any address to any address through en0 (Card connected to net)
sudo /sbin/ipfw add divert natd ip from any to any via en0
[code]
but anyway this is what I did
[code]
# Turn on ip forwalding
sudo /usr/sbin/sysctl -w net.inet.ip.forwarding=1
# Denys incoming via en0 (you prolly don't want this since you only have one card)
sudo /usr/sbin/natd -same_ports -use_sockets -log -deny_incoming -interface en0
# Use network address translation from any address to any address through en0 (Card connected to net)
sudo /sbin/ipfw add divert natd ip from any to any via en0
[code]
|
Other Threads in the Darwin, X11 and BSD Forum
- Previous Thread: Apple X11 and Tiger
- Next Thread: Apple to use XFree86
| Thread Tools | Search this Thread |
You need to join our community in order to build your list of favorite forums. You can visit the forum index for a listing of all forums.
Related Forum Features
Latest Darwin, X11 and BSD Posts
- Today's Posts
- Unanswered Threads
