I use this startup item on a Mac OS X 10.2 server (with one extra NIC card) that acts as a Firewall and NAT server for an internal network. The server is connected to the Internet via ADSL with a static IP address. All the computers on the internal network get a private IP address via DHCP and can surf the Internet, look at home pages and check e-mail etc. I have made some pointers on how to configure it if you have a dynamic IP address from your ISP, but it's *not* tested.
By default, the script will set up ipfw to block ports 0-1023 in and allow ports 1024-65535 in. Everything outgoing is allowed. DNS, DHSP etc is also set up to work. Open up the services you use by uncommenting their rules in the script.
[Editor's note: I have not tested the following script myself, primarily due to a lack of OS X Server software (and a nice XServe to test on, of course!)]
These instructions are a bit terse; you need to be able to use the Terminal and know some basic Unix commands. I use the private network range 192.168.0.0/24 (192.168.0.1-254), but you can use whatever you like (i.e. 10.0.0.0/8, 172.16.0.0/12 or 192.168.0.0/16). I choose to set the start adress for DHCP to *.11 so I can use *.2-10 as fixed addresses.
INSTRUCTIONS:
- Download the file Firewall_StartupItem.tar.gz and extract it to some place of your choice.
- Edit the startup script "*/Firewall/Firewall". At minimum you need to "Define your variables" and you probably want to make some changes to the ipfw rules. Make sure you save it in text format with Unix line endings.
- Edit the file "/etc/hostconfig" and change "IPFORWARDING=-NO-" to "IPFORWARDING=-YES-".
% sudo pico /etc/hostconfig
- Configuration for your extra NIC card:
IP address: 192.168.0.1
Subnet mask: 255.255.255.0
Router address: leave blank
Domain Name Servers: same as built-in ethernet
Search Domains: same as built-in ethernet
- Configuration for your DHCP server:
Subnet Name: whatever you want, e.g., Internal Net
Port: choose the PCI card from the list
Start: 192.168.0.11
End: 192.168.0.50
Subnet Mask: 255.255.255.0
Router: 192.168.0.1
Default Domain: same as Search Domains in Network Control Panel
DNS Servers: same as in Network Control Panel
Turn on your DHCP server
- Copy the folder "Firewall" to "/Library/StartupItems/"
% cd [path]/Firewall_and_NAT_StartupItem_Mac_OS_X_10.2_Server
% sudo cp -R ./Firewall /Library/StartupItems/ - The permissions should look like this:
% cd /Library/StartupItems/Firewall
% ls -l
-rwxr-xr-x 1 root admin 13586 Jan 1 12:00 Firewall
drwxr-xr-x 4 root admin 136 Jan 1 12:00 Resources
-rw-r--r-- 1 root admin 595 Jan 1 12:00 StartupParameters.plist - The script "Firewall" must be executable; if it's not, you need to do a chmod.
% cd /Library/StartupItems/Firewall
% sudo chmod 755 Firewall - [Optional] If you want to use the natd configuration file "rc.natd", I recommend you copy it to /usr/local/etc.
% cd [path]/Firewall_and_NAT_StartupItem_Mac_OS_X_10.2_Server% sudo cp ./rc.natd /usr/local/etc/
- To activate, you can restart the computer or use the SystemStarter.
% sudo SystemStarter start Firewall

