Special Network Security Problem

lilabila · Nov 19, 2012, 12:14 PM

Hi,

Since trying to solve this problem for some days now I'd like to ask you and hope you can help me.

I'm living next to my university and can use it's wifi network for internet. On my desk is a mac mini which establishes the connection and shares it via a USB Ethernet Adapter to an Airport Extreme Base Station.
The AE creates it's my own LAN where some devices can connect to the internet and sharing is active because. All devices are protected from the university network except the mac mini.
The mac mini is actually connected to 2 different LAN's now.
Unfortunately I don't know how I can protect the mini from the university LAN when sharing is enabled and the firewall is turned off for my own LAN.
The mini is connected via ethernet to the AEB btw as well

I appreciate any thought or suggestions!

For better understanding is this schematic:

Internet -- LAN(uni) -- Mac Mini -- VPN -- Ethernet(USB) -- Airport -- LAN(private) -- All Devices

In the optimal case I desire that no client of the LAN(uni) can establish a connection to any of my computers and that it is used for internet use only and all devices can securely share in LAN(private) without being attacked, especially the mac mini.

Thank you for reading

jahala · 12:40 AM

It seems to me all you really need is a firewall running on your mac mini that only allows stateful connections between the uni LAN and your internal LAN. What version of OS X are you running? I think since Tiger or Leopard, it ships with ipfw. Mountain Lion and possible Lion also ship with pf. Both are excellent firewalls that can accomplish what you need.

Varun Parikh · Nov 20, 2012, 02:58 AM

I think you should bring the shared network in another subnet, this will not allow the users from uni. network to access your network.

switon · Nov 20, 2012, 07:20 AM

Hi,

I concur with the above posts, your Mac mini should be acting as a firewall between the university and your private LAN subnet, setup using pfctl and afctl. Sharing should be restricted to your LAN subnet. You should also be running firewalls on all machines on your private LAN.

Switon

lilabila · Nov 21, 2012, 09:31 AM

Thank you for your suggestions. I'm running 10.8, not the Server.
My head is exploding right now after several days of excessive research, can you please assist me in doing it?

The uni LAN is in 172.x.x.x.x, my private is in 10.0.0.x

switon · Nov 21, 2012, 10:36 AM

Quote:

Originally Posted by lilabila

Thank you for your suggestions. I'm running 10.8, not the Server.
My head is exploding right now after several days of excessive research, can you please assist me in doing it?

The uni LAN is in 172.x.x.x.x, my private is in 10.0.0.x

Hi lilabila,

Now we wouldn't want to have to scrape brains off the ceiling, would we?

You can do what you wish to do without the Mac OS X Server, but to actually make it secure and flexible and convenient, you really should use the Server software. Yes, I know it is $20, but it is only $20.

To do without the Server.app, we would have to use numerous terminal commands setting up firewall rules, generating SSL certificates, and so forth, running the risk of exploding your head, something we've agreed would be nice to avoid if possible.

With Mac OS X Server running on your Mac mini, you would setup its DNS service to provide reasonable names for the machines on your LAN, such as "MyMBP.private", "LaserPrinter.private", "InkJet.private", "Sig-OthMBP.private", "Macmini.private", etc. Once DNS is setup, you could then start OD (Open Directory) if you wish to allow all or your computers and users to have networked logins from your LAN. You would also setup the VPN server on the Mac mini so that you can reach your LAN from outside (e.g., from the Internet). VPN then allows you to "login" to your LAN from anywhere in the world and use the resources as if you were sitting at home (such as using a shared disk or printer). The Mac mini's firewall, or your router, will keep everyone out except for those allowed to VPN into your LAN from the outside. You could also think about using the server's DHCP server and especially the RADIUS server for authentication, authorization, and accounting on your LAN thereby providing further security.

The Mac OS X Server is nothing to be afraid of using, it is designed to be "nearly" a single button click to start any service you wish to run.

...just some ideas...

Switon

Nov 19, 2012, 12:14 PM	#1
lilabila macrumors newbie Join Date: Mar 2011	Special Network Security Problem Hi, Since trying to solve this problem for some days now I'd like to ask you and hope you can help me. I'm living next to my university and can use it's wifi network for internet. On my desk is a mac mini which establishes the connection and shares it via a USB Ethernet Adapter to an Airport Extreme Base Station. The AE creates it's my own LAN where some devices can connect to the internet and sharing is active because. All devices are protected from the university network except the mac mini. The mac mini is actually connected to 2 different LAN's now. Unfortunately I don't know how I can protect the mini from the university LAN when sharing is enabled and the firewall is turned off for my own LAN. The mini is connected via ethernet to the AEB btw as well I appreciate any thought or suggestions! For better understanding is this schematic: Internet -- LAN(uni) -- Mac Mini -- VPN -- Ethernet(USB) -- Airport -- LAN(private) -- All Devices In the optimal case I desire that no client of the LAN(uni) can establish a connection to any of my computers and that it is used for internet use only and all devices can securely share in LAN(private) without being attacked, especially the mac mini. Thank you for reading
	0

Nov 20, 2012, 12:34 AM	#2
jahala macrumors regular Join Date: Feb 2008	Turn on the firewall It seems to me all you really need is a firewall running on your mac mini that only allows stateful connections between the uni LAN and your internal LAN. What version of OS X are you running? I think since Tiger or Leopard, it ships with ipfw. Mountain Lion and possible Lion also ship with pf. Both are excellent firewalls that can accomplish what you need. __________________ 11" Macbook Air, 1.8 GHz i7, 4GB RAM, 256 GB SSD; 32 GB iPhone 4, iOS 6 using StraightTalk prepaid SIM Last edited by jahala; Nov 20, 2012 at 12:40 AM. Reason: grammar error
	0

Nov 20, 2012, 07:20 AM	#4
switon macrumors 6502a Join Date: Sep 2012	Concur... Hi, I concur with the above posts, your Mac mini should be acting as a firewall between the university and your private LAN subnet, setup using pfctl and afctl. Sharing should be restricted to your LAN subnet. You should also be running firewalls on all machines on your private LAN. Switon
	0

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Switch to Linear Mode Hybrid Mode Switch to Threaded Mode

Nov 20, 2012, 02:58 AM	#3
Varun Parikh macrumors newbie Join Date: Nov 2012	I think you should bring the shared network in another subnet, this will not allow the users from uni. network to access your network.
	0

Nov 21, 2012, 09:31 AM	#5
lilabila Thread Starter macrumors newbie Join Date: Mar 2011	Thank you for your suggestions. I'm running 10.8, not the Server. My head is exploding right now after several days of excessive research, can you please assist me in doing it? The uni LAN is in 172.x.x.x.x, my private is in 10.0.0.x
	0


MacRumors Forums > Apple Systems and Services > Mac OS X > Mac OS X Server, Xserve, and Networking