Firewall script | NatScript | ReadMe

                       Thank you for downloading my 
               "Firewall and NAT StartupItem Mac OS X 10.2"
           =================================================== 


**What is it?**
This is startup item for Mac OS X 10.2 that will configure ipfw (Firewall)
and natd (let many computers share one public IP number).

I have made some pointers how to configure if you have a dynamic IP address
from your ISP but it's *not* tested. 

I use this startup item on a Mac OS X 10.2 server (with one extra NIC card)
that act as a Firewall and NAT server for a internal network. The server is
connected to the Internet via ADSL with a static IP address. All the
computers on the internal network get a private IP address via DHCP and can
surf the Internet, look at home pages and check e-mail etc.

I think it will work on Mac OS 10.2 (client) also but then you must install
and set up a DHCP server the Unix way or use static IP addresses.

By default the script will set up ipfw to block all incoming ports.
Everything outgoing is allowed. DNS, DHSP etc is also set up to work. Open
up the services you use by uncomment the corresponding rules in the script.

I hope you will find it useful.


**Install instructions**
These instructions is a bit terse, you need to be able to use the Terminal
and some basic Unix commands.

I use the private network range 192.168.0.0/24 (192.168.0.1-254) but you
can use whatever you like (i.e. 10.0.0.0/8, 172.16.0.0/12 or
192.168.0.0/16). I choose to set the start adress for DHCP to *.11 so I can
use *.2-10 as fixed addresses.

1.	Edit the startup script "*/Firewall/Firewall". At minimum you need to
	"Define your variables" and you probably want to make some changes to
	the ipfw rules. Make sure you save it in text format with Unix line
	endings.

2.	Edit the file "/etc/hostconfig" and change "IPFORWARDING=-NO-"
	to "IPFORWARDING=-YES-".
	% sudo pico /etc/hostconfig

3.	Configuration for your extra NIC card:
	IP address: 192.168.0.1
	Subnet mask: 255.255.255.0
	Router address: leave blank
	Domain Name Servers: same as built-in ethernet
	Search Domains: same as built-in ethernet

4.	Configuration for your DHCP server:
	(Only for Mac OS X 10.2 Server)
	Subnet Name: whatever you want, e.g., Internal Net
	Port: choose the PCI card from the list
	Start: 192.168.0.11
	End: 192.168.0.50
	Subnet Mask: 255.255.255.0
	Router: 192.168.0.1
	Default Domain: same as Search Domains in Network Control Panel
	DNS Servers: same as in Network Control Panel

5.	Turn on your DHCP server
	(Only for Mac OS X 10.2 Server)

6.	Copy the folder "Firewall" to "/Library/StartupItems/"
	% cd [path]/Firewall_and_NAT_StartupItem_Mac_OS_X_10.2
	% sudo cp -R ./Firewall /Library/StartupItems/

7.	The permissions should look like this:
	% cd /Library/StartupItems/Firewall
	% ls -l
	-rwxr-xr-x  1 root  admin    13586 Jan 1 12:00 Firewall
	drwxr-xr-x  4 root  admin      136 Jan 1 12:00 Resources
	-rw-r--r--  1 root  admin      595 Jan 1 12:00 StartupParameters.plist

8.	The script "Firewall" must be executable, if not, you need to
	do a chmod.
	% cd /Library/StartupItems/Firewall
	% sudo chmod 755 Firewall

9.	[Optional] If you want to use the natd configuration file "rc.natd"
	I recommend you copy it to /usr/local/etc. It's in this file
	you can set up port forwarding etc.
	% cd [path]/Firewall_and_NAT_StartupItem_Mac_OS_X_10.2
	% sudo mkdir -p /usr/local/etc
	% sudo cp ./rc.natd /usr/local/etc/

10.	To activate you can restart the computer or use the SystemStarter.
	% sudo SystemStarter start Firewall


**Port forwarding**
To get port forwarding working you need to make the appropriate
settings in rc.natd *and* open up the port(s) to the private LAN.
Se rule 5091 in the Firewall script for an example.


**Contact Info**
Send e-mail to Fredrik Jonsson on <fredrik at combonet dot se>. Download
new versions at <http://xdeb.org/fredrik/comp/firewall.phtml>.


**E-mailware**
This script is e-mailware so please send me an e-mail
<mailto(colon)fredrik(at)combonet(dot)se> if you use the script.


**Credit**
There is no way I could have put this code together without the help of
resources on the Internet.

The resources I have found most helpful are:
	<http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO>
	<http://www.freebsd-howto.com/HOWTO/Ipfw-Advanced-Supplement-HOWTO>
	<http://www.afp548.com/Articles/system/natserver.html>
	<http://www3.sympatico.ca/dccote/firewall.html>
	<http://www.sial.org/howto/osx/firewall/>
	<http://www.macosxhints.com/article.php?story=20030830130455582>
	Dru Lavigne <http://www.onlamp.com/pub/ct/15>
	BrickHouse <http://brianhill.dyndns.org/>


**Disclaimer**
You use the scripts at your own risk! They work for me but I provide them
"as is" without any warranty of any kind.


**Release Notes**
Version 1.0b4 -- 2003-09-10
- Added information about how to get port forwarding working.
- All incomming ports closed be default.
- Added more descriptive comments to rules.
- Added state to more rules.
- Added rules for Rendezvous, iTunes 4, iChat AV, BitTorrent and NetFone.
- All rules have unique rule numbers
- Cleaned up and moved around some rules.

Version 1.0b3 -- 2003-04-04
- Added options to some rules. When two rules have the same number, only
  one can be active at the same time.
- Cleaned up and moved around some rules.

Version 1.0b2 -- 2002-12-12
- Change the name by removing "Server". Everything except the instructions
  for the DHCP server should apply to all Mac OS X 10.2
- Added a rule that sends a RESET to all ident packets. Hopefully this will
  help with IRC problems.
- The rc.natd will be used automatically if it is in place.
- Removed the "-unregistered_only" flagg from natd configuration
- "Set longer ACK lifetime" is aktiva by default. Hopefully this will help
  with various time out problems.

Version 1.0b1 -- 2002-12-02
- First version to be released.