Reader Reports 

NAT and PPP

I don't know if you've experimented with using natd and ipfw to set 
up a firewall-proxy-ish server for your network. I did a quick 
experiment to get both of my Macs on the same PPP connection. Here 
are the notes I sent to Accelerate Your Mac:


I have a 9500 desktop and Bronze Powerbook hooked up together via an 
ethernet switch. I installed MacOS X on my Powerbook. I connect the 
Powerbook to the internet via PPP and allow the desktop to go through 
it to the Internet.

On my 9500 (the internal machine), I brought up the TCP/IP control 
panel and set it to Manual, with the following:

    IP Address 10.0.0.2
    Router 10.0.0.1
    Name Servers the same as on your MacOS X machine's PPP Connect settings

Then on the MacOS X machine:

1. Bring up PPP with PPP Connect.

2. Run Terminal, and in  a terminal window "go superuser" (change 
your permissions to root), i.e. type:

    su

then type in your password. You are now root in that window, so be 
careful! Do the rest of these steps in this window.

3. Bring up your ethernet interface:

    ifconfig en0 inet 10.0.0.1 up

If you now do an

    ifconfig -a

you should see the en0 interface is up and has the IP address 
10.0.0.1 (The address 10.0.0.1 is a "private" address for use in 
situations like this.)

4. Enable ip forwarding:

    sysctl -w net.inet.ip.forwarding=1

5. Run natd:

    natd -interface ppp0

6. Now that natd is up, you can redirect traffic to it:

    ipfw add divert natd ip from any to any via ppp0

Now both Macs should be able to access the Internet. (If you had an 
additional Mac or two, you could assign them IP addresses of 
10.0.0.3, etc.)

I quit out of PPP Connect and then logged out and the PPP connection 
stayed up and the internal Mac could still go through. Of course, 
with a PPP connection, this may be a bad thing.

To turn everything off again:

1. Run ipfw to find the rule number you added:

    ipfw list

and you should see the "divert" is rule 100. Use the appropriate 
number, if it differs:

    ipfw delete 100

2. ps -ax | grep natd

to find natd's process id, then kill it. Say it's process 123:

    kill 123

3. Turn of ip forwarding.

    sysctl -w net.inet.ip.forwarding=0

3. Use PPP Connect to shut down the PPP connection.

If I were doing this a lot, I'd create two shell scripts, one to turn 
it on and one to turn it off.

NOTE: I am not sure how secure this setup is. The ipfw rule we added 
routes all internet traffic through natd, which provides a layer of 
protection, but I'm not sure how much protection it really is.

Note that you'd have to do these steps every time you reboot your 
MacOS X machine. You could make modifications to one of the /etc/rc* 
files to do it automatically, but I'm not sure the best way right now.

The "proper" way to do this is to have two ethernet interfaces 
instead of one ethernet and one PPP. Then you could leave it up all 
the time.
-- 

    Wayne Folta
    wfolta@netmail.to