OS 10.2.1 Internet Sharing and Firewall

4 views
Skip to first unread message

OS X Man

unread,
Sep 28, 2002, 1:12:09 PM9/28/02
to
I've been playing with the Internet sharing in Jaguar. I installed a
2nd NIC, and I have my cable modem shared. I've been doing this thru
my Windows machine for years, just wanted to try out the OS X version.

Anyways, the Firewall settings seem to apply automatically to *both*
networks. IOW, if I start the firewall, it blocks connections from my
local computers to the internet! On Windows XP,the network connections
are individually settable for firewall settings.

Is there a way to start the Firewall in Jaguar *only* on the internet
connection? It's pretty useless as it is now.

OS X Man

Jacques Distler

unread,
Sep 28, 2002, 2:33:15 PM9/28/02
to
In article <me-48A13B.13...@unknown.level3.net>, OS X Man
<m...@here.net> wrote:


Apple's GUI interface to IPFW is pretty lame. BrickHouse (shareware)
gives a much more powerful GUI interface to IPFW.

But to access all the features of IPFW, you may need to edit the
firewall rules by hand. (BrickHouse, I believe, provides an "expert
mode" where you can do this, or you can always fire up a text editor.)

Basically, the script in the StartupItems folder which starts up the
firewall reads the firewall configuration rules from a plain text file
(in the case of Brickhouse, /etc/firewall.conf).

A reasonable set of commands in the StartUp script is

/sbin/ipfw -q /etc/firewall.conf
/usr/sbin/sysctl -w net.inet.ip.fw.verbose=1
/usr/sbin/sysctl -w net.inet.ip.fw.verbose_limit=5000

The first starts up the firewall, reading in the firewall rules. The
latter two enable logging.

A typical rule might look like

add 3007 allow tcp from any to any 80 setup keep-state in via en0

Note the "via en0". This means that the rule applies to the en0 network
interface (but not, say, to en1).

For more information on the rules and their syntax,

man ipfw

--
PGP public key: http://golem.ph.utexas.edu/~distler/distler.asc

Hugo Wolf

unread,
Sep 28, 2002, 3:54:19 PM9/28/02
to
In article <280920021333158504%dis...@golem.ph.utexas.edu>, Jacques

Distler wrote:
> Apple's GUI interface to IPFW is pretty lame.

Simple, not lame. For the majority of osx users it's actually quite
an elegant approach, providing excellent firewalling with minimal
fuss. It could use a few enhancements (eg udp and specific host or
subnet specifications) but the general structure is very nice.

No doubt some sophisticated users will need finer control than
whatever Apple provides. But those users should, and in my experience
would rather, be writing rules directly rather than using any kind of
gui.


--
d f-d


Tom Stiller

unread,
Sep 28, 2002, 4:30:42 PM9/28/02
to
In article <me-48A13B.13...@unknown.level3.net>,
OS X Man <m...@here.net> wrote:

Did you first turn on Internet Sharing?

--
Tom Stiller

PGP fingerprint = 5108 DDB2 9761 EDE5 E7E3 7BDA 71ED 6496 99C0 C7CF

OS X Man

unread,
Sep 28, 2002, 5:49:08 PM9/28/02
to
In article <280920021333158504%dis...@golem.ph.utexas.edu>,
Jacques Distler <dis...@golem.ph.utexas.edu> wrote:

> Apple's GUI interface to IPFW is pretty lame. BrickHouse (shareware)
> gives a much more powerful GUI interface to IPFW.

I've heard of BrickHouse, but I didn't know what it was. It sounds
like I need this.

> But to access all the features of IPFW, you may need to edit the
> firewall rules by hand. (BrickHouse, I believe, provides an "expert
> mode" where you can do this, or you can always fire up a text editor.)

I'm not afraid of that, I'm a old DOS hand!

> Note the "via en0". This means that the rule applies to the en0 network
> interface (but not, say, to en1).
>
> For more information on the rules and their syntax,
>
> man ipfw

Will do, thanks for the pointers.

OS X Man

OS X Man

unread,
Sep 28, 2002, 5:52:11 PM9/28/02
to
In article
<tomstiller-2C405...@news.comcast.giganews.com>,
Tom Stiller <tomst...@comcast.net> wrote:

> In article <me-48A13B.13...@unknown.level3.net>,
> OS X Man <m...@here.net> wrote:
>
> > I've been playing with the Internet sharing in Jaguar. I installed a
> > 2nd NIC, and I have my cable modem shared. I've been doing this thru
> > my Windows machine for years, just wanted to try out the OS X version.
> >
> > Anyways, the Firewall settings seem to apply automatically to *both*
> > networks. IOW, if I start the firewall, it blocks connections from my
> > local computers to the internet! On Windows XP,the network connections
> > are individually settable for firewall settings.
> >
> > Is there a way to start the Firewall in Jaguar *only* on the internet
> > connection? It's pretty useless as it is now.
> >
>
> Did you first turn on Internet Sharing?

Yes of course, but once I enable the firewall, Internet Sharing no
longer works, because the Firewall is enabled on *both* networks. I
had to turn off the Firewall in order for Internet Sharing to work.
That's pretty lame, IMO.

I'll play with it some more later, for now I've switched back to my
Windows XP machine doing the sharing. It's easier and actually more
secure at this point.

OS X Man

OS X Man

unread,
Sep 28, 2002, 5:59:25 PM9/28/02
to
In article <LNnl9.627304$UU1.109930@sccrnsc03>,
Hugo Wolf <hw...@deutsches.lieder.net> wrote:

> In article <280920021333158504%dis...@golem.ph.utexas.edu>, Jacques
> Distler wrote:
> > Apple's GUI interface to IPFW is pretty lame.
>
> Simple, not lame. For the majority of osx users it's actually quite
> an elegant approach, providing excellent firewalling with minimal
> fuss. It could use a few enhancements (eg udp and specific host or
> subnet specifications) but the general structure is very nice.

Brain dead, not simple. If you want to do Internet Connection Sharing,
you can't use the Firewall at the same time, and there is no way to
configure via the GUI (that I can see) the firewall to only work on the
Internet Connection, which is the only place I need it.

OS X Man

Reply all
Reply to author
Forward
0 new messages