I would like to use the Mac mini as a firewall on our network.

But my understanding is a firewall needs two network cards (NICs) .

- One to the internet on an external IP address

- The second to the internal LAN on its private address range.

Is getting a USB NIC the only way around this? Or is there some safe way to make the single NIC drive both IP addresses?

Also, any recommendations on firewall software? Is the OS X one good enough for this purpose?

thanks

I'd get a small form factor Compaq/Dell off eBay and put SmoothWall (http://www.smoothwall.org/) on it.

Or better yet, just get a Linksys befvp41 they're around $110 and do everything you need. Very good little boxes to have.

You guys are suprisingly objective! Are you sure there's no Mac solution?

Have you read this? (http://www.macwrite.com/macsecurity/mac-os-x-security-part-2.php)

It should be possible to run a mini with only darwin, and a firewall... with a usb-network-card in addition to the built-in...

You guys are suprisingly objective! Are you sure there's no Mac solution?

We try to spend capital wisely ;)

You guys are suprisingly objective! Are you sure there's no Mac solution?
Oh there's a mac solution, he'll just need another network card. For a firewall tho, I'd prefer a dedicated piece of hardware. Software-only firewalls tend to have several problems.

To me, it just sounds like he's trying to rationalize his desire to buy a Mac mini :)

It should be possible to run a mini with only darwin, and a firewall... with a usb-network-card in addition to the built-in...

Or spend $100 and have a piece of hardware you'll never need to reboot ever again and you'll still have the Mac mini to play games on :)

I would say no because there is only one nic card.

Macs or PCs are not good candidates for firewalls, unless you *really* know what you're doing and *really* craft a bare bones OS install for a *dedicated* solution, i.e. you only use it for a firewall/router (there's nothing left on the box for general purpose use - no GUI, etc.). Spend the small amount of $$ on a dedicated fw/router.

To me, it just sounds like he's trying to rationalize his desire to buy a Mac mini :)

Doh! Found out! Too true - am looking for any excuse to get a Mac at work. :D

Or spend $100 and have a piece of hardware you'll never need to reboot ever again and you'll still have the Mac mini to play games on :)

Yeah, I know, but it's what he asked for... and it would be a cool little $550 firewall... ;)

What you could do is build like a router on a stick. In order to get it working, have a switch, with 2 vlans, and a tunk-port.... connect your mini-mac to the trunc port, have two ip-adresses assigned to the ethernet interfac and you're ready to go.
Assigning two ip adresses to your ethernet interface is somethign that i believe mac os won't let you do, but im certain that the BSD core has a way of doing this.

This is a technical solid way to do it. Which software you sould use, i'm not sure, im more of a networking guy.....

There is another reason I want to do this... I want to show that Macs can do anything Linux can do. And the Mac mini makes it affordable to experiment with.

There is another reason I want to do this... I want to show that Macs can do anything Linux can do. And the Mac mini makes it affordable to experiment with.

Ok, well, if you can do it with linux, you can do it with the mini. Prolly use the exact same setup and software. I've personally never used one ether interface and assigned two IPs to it, so I have no idea how to do that without some research.

The low cost is the main reason my mini is on order. I've need a good development machine to run developer releases of the OS on for some time. I've been a little afraid of late to install the beta releases Apple has been putting out since one of them took my machine offline (10.2.7 I think).

Have you read this? (http://www.macwrite.com/macsecurity/mac-os-x-security-part-2.php)

It should be possible to run a mini with only darwin, and a firewall... with a usb-network-card in addition to the built-in...

This link is really really useful. Thanks

This link is really really useful. ThanksBut a bottle neck will happen at the USB Nic. Where as two gigabit ethernet cards on any PC or Mac can offer much better bandwidth speed. Of course you will either have to set the PC up as just a firewall using the fire Linux suggested above (smoothwall), or use a Mac, which could have more abilities. Such as ease of use of setting the firewall and other services. It could also double as something that could be used in a crises (such as a PC virus making it though the firewall by email and all the PCs are going nuts.) Even just a mini setup as a backup, that is if you have the money, is a good idea when the company gets hit hard with something it could not prevent.

But a bottle neck will happen at the USB Nic.

Assuming your ISP plan is faster than 11Mbps.

What you could do is build like a router on a stick. In order to get it working, have a switch, with 2 vlans, and a tunk-port.... connect your mini-mac to the trunc port, have two ip-adresses assigned to the ethernet interfac and you're ready to go.
Assigning two ip adresses to your ethernet interface is somethign that i believe mac os won't let you do, but im certain that the BSD core has a way of doing this.

This is a technical solid way to do it. Which software you sould use, i'm not sure, im more of a networking guy.....
So your routing all LAN traffic in AND out of the *same* interface (2 IPs)? Performance and latency would suck, big time.

If you're doing this as a learning experience, great, but I'd never deploy your FW on my network. I'm not trying to be an ass, really.

Also, if you're going to build a FW, FreeBSD/Mach (the open source core of OS X) is were you want to start, not OS X per se. As I said above, a FW needs to be devoid of any extra software that doesn't directly contribute to its intended function (GUI, apps etc.), since anything extra offers potential security holes into the FW.