Anyone know alot about firewalls?

djeans

Registered
I need help adding some rules to my firewall.

I am sharing a cable modem using natd with my roomate. (also running OSX 10.1). That is working fine. For work, tho, he needs to be able to ftp to his home computer from work, and maybe even vnc to it. I spent alot of time trying to figure out how to make this happen, and my best guess now is to divert any traffic coming to my computer on port 21 to his computer on the lan. I think this will work, but have no idea how to edit the firewall script to make it work.

The scrip that i am using is as follows.

#!/bin/sh

sysctl -w net.inet.ip.forwarding=1 > /dev/null

natd -interface en0

/sbin/ipfw -f flush
/sbin/ipfw add divert natd all from any to any via en0
/sbin/ipfw add pass all from any to any


thanks for any help
 
I have not done any software firewalls. Make certain the computers do not have dynamic IPs. There are GUI firewall apps for X available at versiontracker.

Sorry I couldn't be more help.
 
You need to supply more args to natd. I'm not sure what that dev/null line of code does, I've never used it. But you fw is diverting everything though natd, and portmapping in parts overrides what natd is doing, so that's what you need to mess with.

man natd

and I assume you are running this stuff as root already, or it wouldn't go.

natd -i en0 -redirect_port tcp 192.168.0.2:21 21

that may be the only line you need for natd, call it like that and you're golden, assuming the inside machine's IP is like that. I,m assumeng you have a clue about IP, just not unix and natd. good luck, let me know how it goes.
 
You should use Brickhouse or FireWalk; they were designed specifically to take the script coding need out of OS X firewall (which is built in to the OS, of course). These apps--particularly Brickhouse--supply MOST of the possible general filters needed. Just select them and "apply." Brickhouse does the rest.
 
you should read Damien Gallops series on Mac Security It will help you configure Brickhouse and show you the differences between all the difference firewalls for Mac OS X.
 
Thanks so much for the help. I'm very tired right now and not feeling well, so i will try it tomorrow and post the results.

I did try brickhouse, but couldnt get it to work. I'm not sure what it was really doing, because i would change and few settings, click apply, then save, and then install, and reboot. When i would look at the script in /system/library/startupitems/network, nothing had changed. (by the way, not sure if i typed that path exactly right, like i said, im tired and sick.)

Maybe im not doing something right.

I will try adding the line to the script tomorrow tho.

Thanks again.
 
I went ahead and gave it a try (i know, i should be in bed)

This is how my script looks now. (by the way, you were only off by one number on his local ip)


#!/bin/sh

sysctl -w net.inet.ip.forwarding=1 > /dev/null

natd -interface en0
natd -i en0 -redirect_port tcp 192.168.0.20:21 21
/sbin/ipfw -f flush
/sbin/ipfw add divert natd all from any to any via en0
/sbin/ipfw add pass all from any to any

when i run the script, i get this error,


[c80291-a:~] root# sh /System/Library/StartupItems/Network/rc.natd
natd: unknown service en0/divert
Flushed all rules.
00000 divert 8668 ip from any to any via en0
00000 allow ip from any to any
[c80291-a:~] root#


Thanks in advance for any help.

darron
 
I use Brickhouse and i love it. I'm not familiar with the Unix code so in that respect I can't be of any help. BUT>>> Maybe if you turn file sharing on to your roommates machine, add him to your server (gateway) as a user, and connect to his machine locally. Then when you're connected, put an alia of his desktop in his user folder. He should be able to FTP into your machine, see his desktop alias and then access his machine. Maybe I'm wrong, but it might just work.
 
I use Brickhouse and i love it. I'm not familiar with the Unix code so in that respect I can't be of any help. BUT>>> Maybe if you turn file sharing on to your roommates machine, add him to your server (gateway) as a user, and connect to his machine locally. Then when you're connected, put an alias of his desktop in his user folder. He should be able to FTP into your machine, see his desktop alias and then access his machine through yours. Maybe I'm wrong, but it might just work.
 
Back
Top