Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Firewall and NAT startup script for OS X Server OS X Server
I have put together a Firewall and NAT startup item for Mac OS X 10.2 Server. The server doesn't have a GUI for NAT, and BrickHouse doesn't support a second NIC card. I would appreciate some feedback, especially on the ipfw rules. I'm sure there are room for improvements. Please have a look at the Firewall script.

I use this startup item on a Mac OS X 10.2 server (with one extra NIC card) that acts as a Firewall and NAT server for an internal network. The server is connected to the Internet via ADSL with a static IP address. All the computers on the internal network get a private IP address via DHCP and can surf the Internet, look at home pages and check e-mail etc. I have made some pointers on how to configure it if you have a dynamic IP address from your ISP, but it's *not* tested.

By default, the script will set up ipfw to block ports 0-1023 in and allow ports 1024-65535 in. Everything outgoing is allowed. DNS, DHSP etc is also set up to work. Open up the services you use by uncommenting their rules in the script.

[Editor's note: I have not tested the following script myself, primarily due to a lack of OS X Server software (and a nice XServe to test on, of course!)]

These instructions are a bit terse; you need to be able to use the Terminal and know some basic Unix commands. I use the private network range 192.168.0.0/24 (192.168.0.1-254), but you can use whatever you like (i.e. 10.0.0.0/8, 172.16.0.0/12 or 192.168.0.0/16). I choose to set the start adress for DHCP to *.11 so I can use *.2-10 as fixed addresses.

INSTRUCTIONS:
  1. Download the file Firewall_StartupItem.tar.gz and extract it to some place of your choice.

  2. Edit the startup script "*/Firewall/Firewall". At minimum you need to "Define your variables" and you probably want to make some changes to the ipfw rules. Make sure you save it in text format with Unix line endings.

  3. Edit the file "/etc/hostconfig" and change "IPFORWARDING=-NO-" to "IPFORWARDING=-YES-".
    % sudo pico /etc/hostconfig
  4. Configuration for your extra NIC card:
    IP address: 192.168.0.1
    Subnet mask: 255.255.255.0
    Router address: leave blank
    Domain Name Servers: same as built-in ethernet
    Search Domains: same as built-in ethernet

  5. Configuration for your DHCP server:
    Subnet Name: whatever you want, e.g., Internal Net
    Port: choose the PCI card from the list
    Start: 192.168.0.11
    End: 192.168.0.50
    Subnet Mask: 255.255.255.0
    Router: 192.168.0.1
    Default Domain: same as Search Domains in Network Control Panel
    DNS Servers: same as in Network Control Panel

    Turn on your DHCP server

  6. Copy the folder "Firewall" to "/Library/StartupItems/"
    % cd [path]/Firewall_and_NAT_StartupItem_Mac_OS_X_10.2_Server
    % sudo cp -R ./Firewall /Library/StartupItems/
  7. The permissions should look like this:
    % cd /Library/StartupItems/Firewall
    % ls -l
    -rwxr-xr-x 1 root admin 13586 Jan 1 12:00 Firewall
    drwxr-xr-x 4 root admin 136 Jan 1 12:00 Resources
    -rw-r--r-- 1 root admin 595 Jan 1 12:00 StartupParameters.plist
  8. The script "Firewall" must be executable; if it's not, you need to do a chmod.
    % cd /Library/StartupItems/Firewall
    % sudo chmod 755 Firewall
  9. [Optional] If you want to use the natd configuration file "rc.natd", I recommend you copy it to /usr/local/etc.
    % cd [path]/Firewall_and_NAT_StartupItem_Mac_OS_X_10.2_Server
    % sudo cp ./rc.natd /usr/local/etc/
  10. To activate, you can restart the computer or use the SystemStarter.
    % sudo SystemStarter start Firewall
Hopefully it will now work.
    •    
  • Currently 1.83 / 5
  You rated: 5 / 5 (6 votes cast)
 
[30,164 views]  

Firewall and NAT startup script for OS X Server | 8 comments | Create New Account
Click here to return to the 'Firewall and NAT startup script for OS X Server' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Why not use Brickhouse?
Authored by: TicToc on Dec 09, '02 01:11:48AM

Unless I misunderstand your requirements, I think Brickhouse would do the job you require. It does support two NICs. I have OSX 10.1.5 running on an old 7300 w G3/300 upgrade card, with the internal Ethernet port connected to a cable modem, and a PCI Ethernet card connected to my LAN.

Brickhouse handles the Firewall/NAT duties just fine, and I use dhcpd (from Fink) as my dhcp server. Having said that, Brickhouse seems to have a bug or two in its ability to load current settings for firewall & routing - I generally have to start fom scratch if I want to change anything, rather than just open Bh and make the necessary changes. Your method is likely more robust.

I don't have OSX Server, so it may be that Brickhouse behaves differently in that environment. In my case, I just used the "Airport" tab as my PCI Ethernet NIC.

Hope this helps.
John Cunningham



[ Reply to This | # ]
Why not use Brickhouse?
Authored by: Anonymous on Dec 09, '02 04:25:29PM

I tried to use BrickHouse but could not get it to work. I use it to configure ipfw on my own computer and like it a lot. After your report I must start testing it again.

Building the script has at least made me understanding ipfw a lot better. I like understanding the things that are protecting me :-). I would love some comments on the ipfw rules so I can improve them further.



[ Reply to This | # ]
Why not use Brickhouse?
Authored by: bluehz on Dec 09, '02 07:49:36PM

I tried to use BrickHouse for over a year - with minimal success. I love the down and dirty approach of BrickHouse - but it was just too unreliable. Sometimes it would work for a month - then something would happen and it would just go south. Never would display logs either. Attempts to contact the author never yielded any solutions. Its unfortunate - I had high hopes for BrickHouse.



[ Reply to This | # ]
Finer Tuning
Authored by: anwnn on Dec 11, '02 08:38:31PM

I think the firewall rules need to be tuned a bit finer. I had timeout problems with a remote IRC server, and Instant Messaging after testing this out tonight. I attempted to fine tune it myself, but my lack of ipfw knowledge prevented me from really getting anywhere.

Hopefully there will be a revision, as I'd like to move away from IPNetShareX, and implement a firewall.



[ Reply to This | # ]
Re: Finer Tuning
Authored by: Anonymous on Dec 12, '02 04:59:54PM

I just uploaded a new version to <http://pobox.com/~fredrik/comp/download.phtml>. Please see if it works better for you.

**Release Notes**
Version 1.0b2 -- 2002-12-12
- Change the name by removing "Server". Everything except the instructions for the DHCP server should apply to all Mac OS X 10.2
- Added a rule that sends a RESET to all ident packets. Hopefully this will help with IRC problems.
- The rc.natd will be used automatically if it is in place.
- Removed the "-unregistered_only" flagg from natd configuration
- "Set longer ACK lifetime" is aktiva by default. Hopefully this will help with various time out problems.



[ Reply to This | # ]
New version of Firewall and NAT startup script for OS X
Authored by: Anonymous on Sep 10, '03 05:10:33AM
I have just released version 1.0b4, you find a download link and more info on my Firewall page.
**Release Notes**
Version 1.0b4 -- 2003-09-10
- Added information about how to get port forwarding working.
- All incomming ports closed be default.
- Added more descriptive comments to rules.
- Added state to more rules.
- Added rules for Rendezvous, iTunes 4, iChat AV, BitTorrent and NetFone.
- All rules have unique rule numbers
- Cleaned up and moved around some rules.


[ Reply to This | # ]
New version of Firewall and NAT startup script for OS X
Authored by: sjdel on Oct 11, '03 10:33:27PM

Frjo,

I've been trying to get this to work for my particular situation for days to no avail.

I need to forward a specific port (3389) through my Xserve which has a static IP to a specific private address (192.168.238.x), thus not using dhcp. No matter what I've tried it, doesn't seem to want to let it pass through, even while allowing all traffic through the firewall.

Any ideas/suggestions?



[ Reply to This | # ]
another option other than Brickhouse
Authored by: webbix on Aug 12, '04 03:57:33PM

Got to this site <http://www.sunprotectingfactory.com/> and check out the currently free 'sunShield' for OS X. This is a preference pane that does support two NICs, provides router configuration, NAT, firewall configuration, autostart, pre-configured profiles and rules export.

I have only tinkered with it in the previous version (current is 1.5). I was able to use it on my TiBook to share my Airport wireless connection via a second wifi card in my card slot.



[ Reply to This | # ]