After testing port scanners on OS 10.2.6 using the built in firewall (IPFW), and then trying Brickhouse, I did some further investigation into the details of IPFW.
I hope that my rules below, which enable the stateful behavior of the firewall are more secure than the default or Brickhouse default rules. You can, of course, use Brickhouse to implement these rules:
allow ip from any to any via lo0
deny ip from any to 127.0.0.0/8
deny ip from 127.0.0.0/8 to any
allow ip from any to 255.255.255.255
allow udp from any 67-68 to any 67-68
allow icmp from any to any in icmptype 3
allow ip from any to any keep-state out
deny ip from any to any
[robg adds: To add these rules using ipfw in the Terminal, you'd use ipfw add allow ip...etc -- see man ipfw for more information. Note that I have not tested these settings. Comments on their validity, anyone?]
If you are getting -47 errors when connecting to a Windows machine using an SMB URL, try relaunching the Finder and your shares should appear on your desktop. My suspicion is that the error occurs when the share is mounted, but not visible in the Finder. If the Finder is relaunched, the share appears on the desktop.
I can get up to two connections to a Windows 2000 SMB share. If I disconnect those two connections from Windows, and then try to connect again from the Mac, I will get a -36 error message. If I relaunch the Finder, though, then both shares will appear on the desktop.
This morning I was trying to help a friend set up the FTP server in OS X 10.2. In particular, we were trying to get ftpchroot (see this hint) working, which restricts FTP users to their home directory. As noted in the referenced hint, it's relatively easy to set up, but after creating the proper file, any attempt to FTP was met with this:
% ftp 192.168.10.10
Connected to 192.168.10.10.
220 192.168.10.10 FTP server (lukemftpd 1.1) ready.
Name (192.168.10.10:robg): robg
331 Password required for robg.
550 Can't change root.
ftp: Login failed.
A little Google searching found this page, which explains the cause of the problem:
Internally, the bug is caused by changing the effective userid of the ftpd process to the user logging in before invoking the chroot command. Unfortunately, the chroot command can only be done by the root user, which is the user into which ftpd is first launched. It would be interesting to see the details of the original bug to see if it was creating a security issue or just an inconvenience.
The solution, also detailed on the same page, is to replace lukemftpd, Apple's chosen FTP server program, with an earlier bug-free version. Instructions are provided to build from source (you'll need an Apple Open Source ID to get the files), or you can use the author's precompiled binary.
Others will comment, of course, that you can avoid all these problems in the first place by just switching to proftpd, which about which I've heard good things (though I don't do much with FTP, so I haven't installed it myself). If one were to do this, however, I don't know of a method of changing the Sharing preferences panel such that it launches proftpd instead of Apple's built-in FTP server.
I have a D-Link 614+ and the 800AP access point setup in my apartment, with a G4 tower at the 614+, and a 12" PowerBook wirelessly connected. I was having problems connecting to file sharing if I was connected to the access point, but not if I was connected to the 614+ itself; there were no other problems.
I figured out that even though i had the tower connected via Ethernet to the 614+, it was being given two IP addresses: one for Ethernet, and one for AirPort. This didn't impact any other operations, but for some reason, it just wouldn't work conecting through the access point. I turned off AirPort in the tower, and the problem was solved. I'm sure this affects a very small number of people, but it was very frustrating and I didn't find any info about it on the web.
If you are using the Cisco VPN client 3.7.x with the GUI, you might have noticed that when it is installed, your network won't return from sleep. After having to reboot every time this happened, I got frustrated. Apparantly this problem is fixed in version 4.x of the client, but you can't get it from Cisco unless you have a Cisco support contract, and our network security guys don't want to upgrade to 4.x just yet. So aside from black hat methods, I am stuck with 3.7.2.
If you lose your network after waking from sleep, here is an easier way to get it back than a reboot. Run these two commands in Terminal (or your favorite terminal application):
sudo ifconfig en0 down
sudo ifconfig en0 mtu 1500 up
Most Macs with one network card should have their card at en0. If your card is not at en0, substitute which interface you want to reset. I am assuming that if you have multiple ethernet interfaces, you can figure out which one is which.
Also, the MTU setting *could* be different for you. 1500 is the default, but who knows what your ISP or network guys or yourself might have set. So if you are concerned you can just type ifconfig en0, which will spit out your current network configuration. Somewhere in there, usually near the end of the first line, you will see your MTU setting, and you can adjust the above commands to set it back to that same value.
I am sure that you could wrap all this into an AppleScript application or something. For some reason, turning the interface off and back on again from within System Preferences doesn't do the trick.
If you need to get out onto the Internet via a connected Windows XP/2003 machine and don't have your WiFi Access Point or a Blutooth Access Point for your Apple Powerbook G4, here's a cheap alternative. I had a spare Epox BT-DG02 Bluetooth dongle laying around that I configured to accept PPP over RFComm (Bluetooth), and let me surf away. Read the rest of the hint for the setup instructions...
Windows NT, 2000, and XP have built in LPD printing, but Windows 95, 98, and ME don't. However, using the free LPD-Win utility available online, you can still print from a Mac to a printer connected to a Windows machine. This tutorial explains how to set it all up.
I work for a tech consultancy that likes to stay on the bleeding edge, and we recently upgraded to Windows Server 2003 and Exchange 2003, wreaking havoc with my ability to connect to Windows network shares (via Finder or the command line) and to Exchange via Entourage's new quasi-native Exchange implementation.
The fix for file sharing turned out to be that Windows Server 2003 now digitally signs all SMB packets to prevent "man in the middle" attacks that intercept and modify packets. This feature breaks compatibility with all Samba versions prior to 3.0 (still in beta), which includes Apple's Windows file sharing (currently based on Samba 2.2.3a). So to allow Mac, Linux and other clients to connect to shares on a 2003 box, you (or your Windows server admin) will have to disable digital signing of SMB packets in the appropriate local or group permissions area depending on your server setup. After that, the old Finder -> Go -> Connect to Server... works like a charm. Whenever Samba 3.0 becomes stable enough for Apple to use it, you may want to turn packet-signing back on again.)
Getting Entourage syncing with Exchange 2003 (still in pre-release) was trickier because IMAP4 and WebDAV aren't enabled by default in 2003. Again, you or your Windows admin will have to enable these depending on local and group permissions. target=_blank>This document on Microsoft's Mac web site gives some configuration tips. It's still not the missing Outlook X (no task lists, no viewing other people's contacts, only mail folders work as public folders since they have to be shared out by IMAP), but mail folders, calendar, appointments and contacts all sync up automatically with Exchange, which is 98% of what I need.
Also, although I've heard of problems connecting to Samba servers in a Server 2003 environment, I've had no trouble using a Windows machine to connect to either my Mac or our Linux servers via SMB -- although these are all standalone servers which aren't configured to do external LDAP/Active Directory authentication or to act as master browsers or domain controllers.
How to set up a PC with a wireless card to connect to the internet through a Mac with an Airport card and internet sharing turned on:
Open System Preferences, Sharing Control Panel, Internet Tab. Once there, check only the 'Share your connection with Airport-equipped computers' box.
Click 'Start' then click 'Airport Options...'. Give your Network a Name. Set the channel to some number. This will be the 'Key index (advanced)' value on the PC.
Check the 'Enable encryption (using WEP)' box. Set the WEP key length to 40-bit.
Get WEP Key Maker. This freeware app lets you create a reproducible hex code for a given password or phrase. Use the app to get your Hex key from WEP Key Maker; i.e. Apple -> 077495204A. You enter it with a $ in front like this>: $077495204A to make it a valid Hex password. Click OK.
In your Network Connections folder, double click your "Wireless Network Connection." Select Properties and go to the Wireless Networks Tab.
Select the Network that you created with your Mac and click Configure of Properties. Check the 'Data encryption (WEP enabled)' box and the 'Network Authentication (Shared mode)' box.
Enter the Hex network key (password) you used to create the Mac network. You dont need the $ symbol in front.
Set the 'Key index (advanced)' value to the value you used to set up the Mac Network.
Make sure that 'Enable IEEE 802.x authentication for this network' is not checked under the Authentication Tab.
Upon restarting you should have a connection through your wireless card! Thanks to Bruce Thomson on the Apple Discussions Forums.
I recently ran into the problem of linking two existing ethernet networks in my company.
Our first network has an SHDSL Internet access routed into the network by a SHDSL router. Our network is a heterogeneous, running a mix of Macintosh, Linux and Windows machines. We are in the graphical industry meaning we have heavy loads of files that need to be transfered at quite some speed over the network.
Now we were given a second floor office space by our landlord. However, wiring the network to that second floor seemed to be just unmanageable. A wireless connection would be just the right thing for us - so we thought!
Although the Macs in question are not that old, some Dual Processor PowerPC 1GHz "Mirror Doors," this particular model is just not "Airport Extreme" capable, meaning, you can only plug in an ordinary Airport card (i.e. 802.11b standard, at 11Mbit/s). This, however, would have been definitively too slow for us. I wanted a 802.11g, i.e. 51Mbit/s connection at least! So, what could I do?!
I thought of maybe linking the original network with the new second floor workstations with two Airport Extreme base stations, so I phoned up my dear friend Jason at Apple Store in Ireland - wonder who else is good friends with Jason! He then phoned up Apple Support - and I did the same to maybe even get a second opinion. Both said that owning older Macs, there would be no way of linking them by Airport Extreme, i.e. 802.11g, i.e. 51Mbit/s, i.e. so-called "Wi-Fi" wireless network.
I had a very long look through Internet pages. No answer whatsoever. Phoning up other wireless network vendours also turned out of no help: there was simply no way to join to networks over the air at a speed of 51 Mbit/s. Or was there?!
[robg adds: Read the rest of the article for a detailed solution to this problem. I haven't tested this one, so if anyone can confirm it, please do so via the comments...]