|Nov 19, 2012, 01:14 PM||#1|
Special Network Security Problem
Since trying to solve this problem for some days now I'd like to ask you and hope you can help me.
I'm living next to my university and can use it's wifi network for internet. On my desk is a mac mini which establishes the connection and shares it via a USB Ethernet Adapter to an Airport Extreme Base Station.
The AE creates it's my own LAN where some devices can connect to the internet and sharing is active because. All devices are protected from the university network except the mac mini.
The mac mini is actually connected to 2 different LAN's now.
Unfortunately I don't know how I can protect the mini from the university LAN when sharing is enabled and the firewall is turned off for my own LAN.
The mini is connected via ethernet to the AEB btw as well
I appreciate any thought or suggestions!
For better understanding is this schematic:
Internet -- LAN(uni) -- Mac Mini -- VPN -- Ethernet(USB) -- Airport -- LAN(private) -- All Devices
In the optimal case I desire that no client of the LAN(uni) can establish a connection to any of my computers and that it is used for internet use only and all devices can securely share in LAN(private) without being attacked, especially the mac mini.
Thank you for reading
|Nov 20, 2012, 01:34 AM||#2|
Turn on the firewall
It seems to me all you really need is a firewall running on your mac mini that only allows stateful connections between the uni LAN and your internal LAN. What version of OS X are you running? I think since Tiger or Leopard, it ships with ipfw. Mountain Lion and possible Lion also ship with pf. Both are excellent firewalls that can accomplish what you need.
11" Macbook Air, 1.8 GHz i7, 4GB RAM, 256 GB SSD; lost my 32 GB iPhone 4, now using Blackberry Bold (great for work!)
Last edited by jahala; Nov 20, 2012 at 01:40 AM. Reason: grammar error
|Nov 20, 2012, 08:20 AM||#4|
I concur with the above posts, your Mac mini should be acting as a firewall between the university and your private LAN subnet, setup using pfctl and afctl. Sharing should be restricted to your LAN subnet. You should also be running firewalls on all machines on your private LAN.
|Nov 21, 2012, 10:31 AM||#5|
Thank you for your suggestions. I'm running 10.8, not the Server.
My head is exploding right now after several days of excessive research, can you please assist me in doing it?
The uni LAN is in 172.x.x.x.x, my private is in 10.0.0.x
|Nov 21, 2012, 11:36 AM||#6|
RE: exploding heads and the server...
Now we wouldn't want to have to scrape brains off the ceiling, would we?
You can do what you wish to do without the Mac OS X Server, but to actually make it secure and flexible and convenient, you really should use the Server software. Yes, I know it is $20, but it is only $20.
To do without the Server.app, we would have to use numerous terminal commands setting up firewall rules, generating SSL certificates, and so forth, running the risk of exploding your head, something we've agreed would be nice to avoid if possible.
With Mac OS X Server running on your Mac mini, you would setup its DNS service to provide reasonable names for the machines on your LAN, such as "MyMBP.private", "LaserPrinter.private", "InkJet.private", "Sig-OthMBP.private", "Macmini.private", etc. Once DNS is setup, you could then start OD (Open Directory) if you wish to allow all or your computers and users to have networked logins from your LAN. You would also setup the VPN server on the Mac mini so that you can reach your LAN from outside (e.g., from the Internet). VPN then allows you to "login" to your LAN from anywhere in the world and use the resources as if you were sitting at home (such as using a shared disk or printer). The Mac mini's firewall, or your router, will keep everyone out except for those allowed to VPN into your LAN from the outside. You could also think about using the server's DHCP server and especially the RADIUS server for authentication, authorization, and accounting on your LAN thereby providing further security.
The Mac OS X Server is nothing to be afraid of using, it is designed to be "nearly" a single button click to start any service you wish to run.
...just some ideas...
|Thread Tools||Search this Thread|
|thread||Thread Starter||Forum||Replies||Last Post|
|File security while working in shared network||tokolosh||Mac Basics and Help||10||Mar 27, 2014 10:37 AM|
|Security Problem||LadySunshine||MacBook Pro||5||Mar 23, 2014 07:56 PM|
|Airport Guest Network Security||Davmeister||Mac Peripherals||7||Feb 6, 2014 01:53 PM|
|Change network security||cclloyd||Mac Basics and Help||1||Jun 8, 2013 12:04 AM|
|Can network security type impact connection?||c073186||Mac Basics and Help||2||May 20, 2013 08:10 PM|
All times are GMT -5. The time now is 03:57 PM.