# AirPort Base - Can I block access to Internet for one Mac?



## Randy in Kiev (Sep 28, 2003)

I've got 3 macs on an AirPort network using the AirPort Extreme base station.  I want ALL 3 macs to be able to access printers and share files with each other on this network, BUT I want to restrict ONE of those macs from accessing the internet thru the WAN port.  Is this possible?  What's the process?

 Thanks ahead ... Randy in Kiev


----------



## Arden (Sep 29, 2003)

The easiest way I can think of is to uninstall all browsers and disallow file-sharing of browsers on other computers so that computer can't transfer Safari from another computer to it.


----------



## bobw (Sep 29, 2003)

Go to this page at Apple;

http://docs.info.apple.com/article.html?artnum=120061

and download both Designing AirPort Networks 2 and Designing AirPort for Mac OS X. These manuals will show you how to do this.


----------



## Randy in Kiev (Sep 29, 2003)

arden wrote: 


> _Originally posted by arden _
> *The easiest way I can think of is to uninstall all browsers ... *



 Unfortunately that leaves the user (my son) unable to read a lot of locally stored IE html files that he needs access to.  Nevertheless, thanks for the suggestion.


----------



## cockneygeezer (Sep 29, 2003)

Ok, you have a Airport Extreme that is connected to a Broadband Modem. You have 3 Macs with Airport and you want to restrict one of these Macs access to the Internet, but not the internal network.

The only solution that I can suggest is that you do this:

1. Create a new user account on the machine that you want to restrict. Give this User Account no Admin rights.

2. Then in the Sharing Control Panel, select the Firewall tab. Click New, Port Name: Other, Port Number: 80, Description: Web Access, select OK

3. Start the Firewall.

4. Logout. In theory, the User that uses that machine cannot use the internet now.

If this doesn't work, or it's not what you are looking for, you might want to look at your Airport Hub Admin Software more closely. In the Airport Admin Software suite, you can restrict machines via they Mac Address, and you can restrict them via IP numbers. You might want to explore your manual more closely.


----------



## cockneygeezer (Sep 29, 2003)

--


----------



## Randy in Kiev (Sep 30, 2003)

> _Originally posted by bobw _
> *Go to this page at Apple;
> 
> http://docs.info.apple.com/article.html?artnum=120061
> ...



Thanks, Bob.  I've read these documents once more (at your suggestion).  If the answer is there, and perhaps it is, I just don't see it.  I probably just don't know enough about networking nitty-gritty to see the connection between what I want to do and what it says I CAN do.  If you have opportunity, could you be a little more specific in what I should be looking for?  For example, I do understand using DHCP and IP addresses and MAC addresses, but I really don't have a clue what the idea of "ports" are.  

Oh, and cockneygeezer, I'll try your suggestion.  Thanks.  

Is there a good tutorial you'd recommend on networking and protocols on the internet--different layers and all, especially the idea of ports and how they're used?  I'm an old networking tech, but haven't updated my knowledge in about 10 years  . 

Thanks to all  who have contributed.


----------



## lurk (Sep 30, 2003)

Hi Randy,

I have a solution to your problem but it will require the power of Unix.  What you want to do is set up a firewall rule on your son's computer that blocks any outgoing connections on port 80.  The stuff in the sharing pane is for incoming connections and won't help here.

For the record here is the magic incantation to make this work.


```
ipfw add 42001 deny tcp from any to any http
```

I am attaching a startup item which includes this bit of code as an attachment.  If it works you should be able to unzip it and move the MyFirewall folder which results to /Library/StartupItems on your son's computer and reboot.  After which all websites will be blocked.

This will block things on the level of the computer so no other users will be able to get to the internet on that machine.  Also I have found that fiddling with the locations settings can make the machine reset the firewall and make this change disappear.

But hey it is better than nothing 

-Eric


----------

