Anyways, the Firewall settings seem to apply automatically to *both*
networks. IOW, if I start the firewall, it blocks connections from my
local computers to the internet! On Windows XP,the network connections
are individually settable for firewall settings.
Is there a way to start the Firewall in Jaguar *only* on the internet
connection? It's pretty useless as it is now.
OS X Man
Apple's GUI interface to IPFW is pretty lame. BrickHouse (shareware)
gives a much more powerful GUI interface to IPFW.
But to access all the features of IPFW, you may need to edit the
firewall rules by hand. (BrickHouse, I believe, provides an "expert
mode" where you can do this, or you can always fire up a text editor.)
Basically, the script in the StartupItems folder which starts up the
firewall reads the firewall configuration rules from a plain text file
(in the case of Brickhouse, /etc/firewall.conf).
A reasonable set of commands in the StartUp script is
/sbin/ipfw -q /etc/firewall.conf
/usr/sbin/sysctl -w net.inet.ip.fw.verbose=1
/usr/sbin/sysctl -w net.inet.ip.fw.verbose_limit=5000
The first starts up the firewall, reading in the firewall rules. The
latter two enable logging.
A typical rule might look like
add 3007 allow tcp from any to any 80 setup keep-state in via en0
Note the "via en0". This means that the rule applies to the en0 network
interface (but not, say, to en1).
For more information on the rules and their syntax,
man ipfw
--
PGP public key: http://golem.ph.utexas.edu/~distler/distler.asc
Simple, not lame. For the majority of osx users it's actually quite
an elegant approach, providing excellent firewalling with minimal
fuss. It could use a few enhancements (eg udp and specific host or
subnet specifications) but the general structure is very nice.
No doubt some sophisticated users will need finer control than
whatever Apple provides. But those users should, and in my experience
would rather, be writing rules directly rather than using any kind of
gui.
--
d f-d
Did you first turn on Internet Sharing?
--
Tom Stiller
PGP fingerprint = 5108 DDB2 9761 EDE5 E7E3 7BDA 71ED 6496 99C0 C7CF
> Apple's GUI interface to IPFW is pretty lame. BrickHouse (shareware)
> gives a much more powerful GUI interface to IPFW.
I've heard of BrickHouse, but I didn't know what it was. It sounds
like I need this.
> But to access all the features of IPFW, you may need to edit the
> firewall rules by hand. (BrickHouse, I believe, provides an "expert
> mode" where you can do this, or you can always fire up a text editor.)
I'm not afraid of that, I'm a old DOS hand!
> Note the "via en0". This means that the rule applies to the en0 network
> interface (but not, say, to en1).
>
> For more information on the rules and their syntax,
>
> man ipfw
Will do, thanks for the pointers.
OS X Man
> In article <me-48A13B.13...@unknown.level3.net>,
> OS X Man <m...@here.net> wrote:
>
> > I've been playing with the Internet sharing in Jaguar. I installed a
> > 2nd NIC, and I have my cable modem shared. I've been doing this thru
> > my Windows machine for years, just wanted to try out the OS X version.
> >
> > Anyways, the Firewall settings seem to apply automatically to *both*
> > networks. IOW, if I start the firewall, it blocks connections from my
> > local computers to the internet! On Windows XP,the network connections
> > are individually settable for firewall settings.
> >
> > Is there a way to start the Firewall in Jaguar *only* on the internet
> > connection? It's pretty useless as it is now.
> >
>
> Did you first turn on Internet Sharing?
Yes of course, but once I enable the firewall, Internet Sharing no
longer works, because the Firewall is enabled on *both* networks. I
had to turn off the Firewall in order for Internet Sharing to work.
That's pretty lame, IMO.
I'll play with it some more later, for now I've switched back to my
Windows XP machine doing the sharing. It's easier and actually more
secure at this point.
OS X Man
> In article <280920021333158504%dis...@golem.ph.utexas.edu>, Jacques
> Distler wrote:
> > Apple's GUI interface to IPFW is pretty lame.
>
> Simple, not lame. For the majority of osx users it's actually quite
> an elegant approach, providing excellent firewalling with minimal
> fuss. It could use a few enhancements (eg udp and specific host or
> subnet specifications) but the general structure is very nice.
Brain dead, not simple. If you want to do Internet Connection Sharing,
you can't use the Firewall at the same time, and there is no way to
configure via the GUI (that I can see) the firewall to only work on the
Internet Connection, which is the only place I need it.
OS X Man