Configuring mac's built-in firewall

Hello,

I will need to see if OS X will obey the standard UNIX / Linux firewalling commands (iptables / ipchains / ifwdm?) If so, you should be able to write rules (yeah, probably by hand, but that is what the keyboard is for!)

I think you have a flaw in your network idea though. You mention sharing the cable modem, and that implies that you want to do network address translation (NAT) or something that we call routing. You cannot route over a single interface. That doesn't work.

I'd like to see a network diagram of what you are proposing to do. Please draw up something in ASCII art, or plop a quick attachment and draw out what you are trying to do. Something about a Picture == 1000 words.

Christian

OK, here's what I am doing ...

physical layout =

cable modem -> gigabit switch -> mac and windows machines both connected to ports on the switch, each with a gigabit nic card

so in other words, there is a gigabit switch, with 3 ports used up ... one going to the cable modem, one going to the mac, and one going to the windows machine

..........

The mac is set up to grab an IP via DHCP, and it therefore finds that it can grab an IP from the cable modem, and it does so ... therefore giving the mac internet access with an IP in the range of 24.x.x.x

The mac is also set up to share its internet access. It therefore binds a second IP address, 192.168.2.1, to the same one ethernet port as it is using for the cable modem.

The windows machine is also set up to grab internet access via DHCP. There is no reason to explicitely state to use 192.168.2.1 as a gateway since the cable modem is only willing to hand out one IP, and the mac has it already. Therefore, 192.168.2.1 is the only place to get an IP from. The windows machine therefore becomes 192.168.2.2

Now, everyone has an IP and everyone is happy. However, the mac also runs CUPS, Samba, FTP, and SSH. I want everyone globally to be able to access FTP and SSH. But of course I only want the two 192.168.2.* machines to be able to access CUPS and Samba.

But now the problem that I am having is that the 24.* IP and the 192.168.2.1 IP, are both connected to the same interface. It is no problem for me to block those services with a firewall. However the problem is that I'm not sure how to write a chain rule to distinguish IPs from eachother, which are both binded to the same network port.

I am familiar with iptables but the mac uses ipfw, which I have no experience with.

Hello,

I see two solutions here.

1) Replace the switch with a router. This will allow your router's input port to take the 24.x address, and will allow the output to be on 192.x network. If you are going to take this approach, then I would go after a wireless router, as if there is a laptop in your future, make the investment now, and simply disable the RF portion of the network. I suggest the wireless router from Buffalo Technologies. I avoid Linksys.

By doing this, you are setting up NAT, and have a clean networking environment. The router will handle NAT, so that you can turn on / off your machines without one relying on the other.

You will need to setup some port forwarding on the router, so that SSH, web, and other Packets reach the proper computer. Matter of fact, you could have two ports: 10022 and 10023 both listening to ssh.... one goes to the Mac, the other to your Windoze box.

2) You can insert a second NIC into your G5 computer, and run one NIC on 24.x and the other NIC on 192.x Treat the first NIC as an untrusted device, and firewall it. Treat the second nic as a trusted device, and let it flow.

3) Build a cheap linux server and put that between your cable modem and the switch. Run IPTABLES there. Host your private website there. Route from there.

I think real world applications would strive for #1.

I am surprised that you got two IP numbers to work on the single card. In my 9+ years of computer industry service, I have NEVER seen two IP numbers on the same network card. I would really avoid it. I have seen multiple Netware protocols (Ethernet_II, Ethernet_802.2) bound together, but that is not IP.

Christian

Option #1 is what I have always done. I always had a linksys router that went between the cable modem and the switch. However, I was having problems with it, and just yesterday decided to ditch the router. Hence causing my machine to be wide open. ;)

Even with multiple nic cards in the mac, from what I am seeing, the Mac OS X firewall can only be turned on / off systemwide, without manually editing ipfw. I have stumbled upon a program called BrickHouse, however, so I might give that a try.

Hello,

I found a few firewall products for the Mac:

http://personalpages.tds.net/~brian_hill/brickhouse.html

http://www.sunprotectingfactory.com/sunShield/shield_news.html

http://www.intego.com/netbarrier/

You can give them a try and see how they work.

I still do not like the idea of one NIC having two IP addresses assigned to it.

Christian

Two IPs assigned to one nic was actually an exercise I remember doing in my TCP/IP networking course last semester. ;)

I still do not like the idea of two IP numbers on the NIC. Really messes up routing and other things, like subnetting and collisions and sorts. Ugly.

Be nice, and kindly clean up your network. You mentioned that you were having problems with the router device. What was going wrong?

Christian

It should be noted that SunShield and BrickHOuse are just GUIfied front-ends for ipfw. While NetBarrier is a completely separate firewall product.

If you wish to learn to control ipfw by hand (err.. CLI), this is the place to start:

http://www3.sympatico.ca/dccote/firewall.html

Well, a little while ago last year I set up internet sharing with my Palm
but anyway this is what I did

# Turn on ip forwalding
sudo /usr/sbin/sysctl -w net.inet.ip.forwarding=1
# Denys incoming via en0 (you prolly don't want this since you only have one card)
sudo /usr/sbin/natd -same_ports -use_sockets -log -deny_incoming -interface en0
# Use network address translation from any address to any address through en0 (Card connected to net)
sudo /sbin/ipfw add divert natd ip from any to any via en0

Denys incoming via en0 (you prolly don't want this since you only have one card), I take that back.. You will want it to deny stuff coming in from your ppp connection (im gessing you use an adsl modem or somthing using pppoe.

So yea, replace all instances of en0 with your outgoing connection

I am surprised that you got two IP numbers to work on the single card. In my 9+ years of computer industry service, I have NEVER seen two IP numbers on the same network card. I would really avoid it. I have seen multiple Netware protocols (Ethernet_II, Ethernet_802.2) bound together, but that is not IP.

Christian

That surprises _me_.

[~]$ sudo ifconfig en0 inet 192.168.0.1 alias

will create that ip address on the en0 device, which can be accessed from your LAN if your other machines are set up to look for it, and if you've enabled "internet sharing" with natd and ipfw (along with some other useful firewall rules, naturally).

Setting up your firewall/NAT rules manually can be instructive, if somewhat mind-numbing.

There's an interesting shareware program for OS X called Firewalker X2 that works nicely with ipfw to create a very solid firewall. <http://www.pliris-soft.com/>

Warren.

get yourself a router. it has a hardware firewall to the outside, and you can do what you like on the inside.