Inserting NAT for a local interface into the Firewall rules
Inserting NAT for a local interface into the Firewall rules
- Subject: Inserting NAT for a local interface into the Firewall rules
- From: Thomas Tempelmann <email@hidden>
- Date: Mon, 15 Oct 2007 18:28:54 +0200
- Thread-topic: Inserting NAT for a local interface into the Firewall rules
Not being a BSD "pro", but having basic understanding of network protocols
and some experience with linux routing and filtering, I am looking for a
"proper" solution to add a NAT under OS X:
I have a second network interface that wants to use the default gateway for
internet access. Since this new interface is provided thru a hot-pluggable
USB device, I need to provide fitting drivers to configure this access on
the fly, without interrupting any other user-controllable network
configurations such as the Firewall or Internet Sharing.
In the most simple case (no Internet Sharing, no Firewall), I'd issue the
following commands to activate NAT for the device (assuming 'en0' is the
default gateway and 'en3' is the USB interface):
ifconfig en3 192.168.x.1 # (I make sure that 'x' is an unused subnet)
/usr/sbin/natd -interface en0 -dynamic -enable_natportmap
-natportmap_interface en3
/sbin/ipfw -f flush
/sbin/ipfw add divert natd all from any to any via en0
sysctl -w net.inet.ip.fw.enable=1
However, when the user has enabled the OS X Firewall, this won't work for
several reasons:
1. The 'flush' would clear all rules, so it needs to be suppressed.
2. The added rule would get _behind_ the last Firewall rule, which denies
all packets. My rule would need to be inserted earlier.
3. If the user turns off the Firewall, my rule gets deleted as well. But if
I try to prevent this by using another rule set (instead of 'set 0'), OS X's
Firewall control panel won't like it at all.
So, what's the proper way to deal with this?
Issue (1) I guess I can detect by checking whether the firewall is enabled
ta all (checking the output from "sysctl -n net.inet.ip.fw.enable"), and
only flush if the firewall is off currently. Or maybe even not ever flush
but instead look if there's a divert natd rule already for my interface, and
delete just that.
For (3), I guess I'll have to run a daemon which registers for events such
as a Firewall config change, and then re-issue my settings. But which event
would that be?
And for (2), I could just add my rule with a lower number, below 1000, but
what's the proper way to choose a number for this?
Thomas
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macnetworkprog mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden