Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'What I have done for a firewall and nat to share a dial-up connection' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
What I have done for a firewall and nat to share a dial-up connection
Authored by: drush on Jul 09, '02 08:10:30PM

I have generated 4 files (firewall, firewall.conf, natd.conf, ip-up) with help from Brickhouse, GNat, and others. This has allowed a totally reliable dial-up on-demand shared internet connection from multiple Macs. Each downstream Mac needs a manual IP (10.0.0.2, 10.0.0.3,...) and the host's ip (10.0.0.1) entered as the Router in TCP/IP settings, also be sure to enter any DNS servers from the ISP if required. The host Mac runs the firewall and the natd. On it I have set to connect automatically in the PPP options. The contents of the four files is:

**************************************************************************
below is the text for Firewall file, put it in /Library/StartupItems/Firewall
**************************************************************************

#!/bin/sh
# Firewall Boot Script
# Generated by me
#===========================================================
# Process Firewall Rules File
#===========================================================
/sbin/ipfw -q /etc/firewall.conf

#===========================================================
# natd service startup item - enables internet connection sharing on startup
#===========================================================

#. /etc/rc.common

ConsoleMessage "Starting natd Services"
/usr/sbin/sysctl -w net.inet.ip.forwarding=1
/sbin/ifconfig en0 10.0.0.1 netmask 255.255.255.0
/usr/sbin/natd -f /etc/natd.conf


**************************************************************************
below is the text for firewall.conf file, put it in /etc
**************************************************************************

# Firewall Boot Script
# Generated by DJR


#################################################
# Allow Loopback
#################################################
add 1000 allow ip from any to any via lo0

#################################################
# Allow natd packets
#################################################
add 1001 divert natd all from any to any via ppp0

#################################################
# Allow packets from existing connections
# below rules may be modified to further filter by port
# i.e. add 1002 allow tcp from any 80 to any established
#################################################
add 1002 allow tcp from any to any established
add 1003 allow all from any to any frag

#################################################
# Allow Essential ICMP Traffic
#################################################
add 1004 allow icmp from any to any icmptype 3,4,11,12

#################################################
## Rules for Home Net - allow ip over ethernet
#################################################
add 2000 allow all from any to any via en0

#################################################
## Rules for Home Net - stop AppleTalk over PPP
#################################################
add 2001 deny tcp from any 548 to any out via ppp0

#################################################
## Rules for the ppp0 interface
#################################################

#################################################
## Allow DHCP/BOOTP
#################################################
add 3000 allow udp from any 67-68 to any 67-68 via ppp0

#################################################
## Allow Broadcast (for DHCP, etc)
#################################################
add 3001 allow ip from any to 255.255.255.255 via ppp0

#################################################
## Deny Source Routed Packets
#################################################
add 3002 unreach host log ip from any to any ipopt ssrr,lsrr via ppp0

#################################################
## Allow Network Time (NTP)
#################################################
add 3003 allow udp from any 123 to any 1024-65535 via ppp0

#################################################
## Allow All ICMP Packets
#################################################
add 3004 allow icmp from any to any via ppp0

#################################################
## Allow FTP-Data port
#################################################
add 3005 allow tcp from any 20-21 to any 1024-65535 in via ppp0

#################################################
## Allow DNS
#################################################
add 3006 allow udp from any 1024-65535 to any 53 out via ppp0
add 3007 allow udp from any 53 to any 1024-65535 in via ppp0

#################################################
## Fire-AOL IM
#################################################
add 3010 allow tcp from any to any 9898 in via ppp0
add 3010 allow tcp from any 9898 to any out via ppp0

#################################################
## Fire-ICQ
#################################################
add 3011 allow tcp from any to any 5190 in via ppp0
add 3011 allow tcp from any 5190 to any out via ppp0

#################################################
## ICQ Chat (UDP)
#################################################
add 3012 allow udp from any to any 4000 in via ppp0
add 3012 allow udp from any 4000 to any out via ppp0

#################################################
## iVisit
#################################################
add 3013 allow udp from any to any 9943 in via ppp0
add 3013 allow udp from any 9943 to any out via ppp0

#################################################
## iVisit
#################################################
add 3014 allow udp from any to any 56768 out via ppp0
add 3014 allow udp from any 56768 to any in via ppp0


#################################################
## Allow All Outgoing Services
#################################################
add 53035 allow all from any to any out via ppp0

#################################################
## Deny All Incoming Services
#################################################
add 53036 deny log all from any to any in via ppp0


**************************************************************************
below is the text for natd.conf file, put it in /etc
**************************************************************************


# Config file used by natd startup script in /Library/StartupItems/Firewall/
Firewall#
same_ports yes
use_sockets yes
# remove comment from next line to not allow host computer to access the internet
#deny_incoming yes
dynamic yes
interface ppp0
#
# End natd config file


**************************************************************************
below is the text for ip-up file, put it in /etc/ppp
**************************************************************************


#!/bin/tcsh
#===========================================================
# Restart natd for each PPP session
#===========================================================
/bin/sleep 10
/bin/kill -HUP `ps -uxc -U root | grep ' natd$' | awk '{ print $2 }'`
#/sbin/ipfw delete 1001
/sbin/ipfw add 1001 divert natd all from any to any via ppp0

======================================================




[ Reply to This | # ]
Re: What I have done for a firewall and nat to share a dial-up connection
Authored by: iMMersE on Jul 10, '02 08:38:17AM

Put your hand up if you have taken that directly from Brickhouse? Well, OK, credit where credit's due, you changed Brickhouse to me on line 2!

Useful information though, people will soon learn they they don't have to pay for applications which are in affect only GUIs to a few text files if they are prepared to get their hands a little dirty, and learn something new at the same time.



[ Reply to This | # ]
Re: What I have done for a firewall and nat to share a dial-up connection
Authored by: iMMersE on Jul 10, '02 08:40:29AM

OK, you mentioned you'd used Brickhouse to generate the files, my bad. My second point is valid though. Anyway, I'll get my coat ...



[ Reply to This | # ]