Register FAQ / Rules Forum Spy Search Today's Posts Mark Forums Read
Go Back   MacRumors Forums > Apple Systems and Services > OS X > Mac OS X Server, Xserve, and Networking

Reply
 
Thread Tools Search this Thread Display Modes
Old Nov 19, 2012, 12:14 PM   #1
lilabila
macrumors member
 
Join Date: Mar 2011
Special Network Security Problem

Hi,

Since trying to solve this problem for some days now I'd like to ask you and hope you can help me.

I'm living next to my university and can use it's wifi network for internet. On my desk is a mac mini which establishes the connection and shares it via a USB Ethernet Adapter to an Airport Extreme Base Station.
The AE creates it's my own LAN where some devices can connect to the internet and sharing is active because. All devices are protected from the university network except the mac mini.
The mac mini is actually connected to 2 different LAN's now.
Unfortunately I don't know how I can protect the mini from the university LAN when sharing is enabled and the firewall is turned off for my own LAN.
The mini is connected via ethernet to the AEB btw as well

I appreciate any thought or suggestions!

For better understanding is this schematic:

Internet -- LAN(uni) -- Mac Mini -- VPN -- Ethernet(USB) -- Airport -- LAN(private) -- All Devices

In the optimal case I desire that no client of the LAN(uni) can establish a connection to any of my computers and that it is used for internet use only and all devices can securely share in LAN(private) without being attacked, especially the mac mini.

Thank you for reading
lilabila is offline   0 Reply With Quote
Old Nov 20, 2012, 12:34 AM   #2
jahala
macrumors regular
 
Join Date: Feb 2008
Turn on the firewall

It seems to me all you really need is a firewall running on your mac mini that only allows stateful connections between the uni LAN and your internal LAN. What version of OS X are you running? I think since Tiger or Leopard, it ships with ipfw. Mountain Lion and possible Lion also ship with pf. Both are excellent firewalls that can accomplish what you need.
__________________
11" Macbook Air, 1.8 GHz i7, 4GB RAM, 256 GB SSD; lost my 32 GB iPhone 4, now using Blackberry Bold (great for work!)

Last edited by jahala; Nov 20, 2012 at 12:40 AM. Reason: grammar error
jahala is online now   0 Reply With Quote
Old Nov 20, 2012, 02:58 AM   #3
Varun Parikh
macrumors newbie
 
Join Date: Nov 2012
I think you should bring the shared network in another subnet, this will not allow the users from uni. network to access your network.
Varun Parikh is offline   0 Reply With Quote
Old Nov 20, 2012, 07:20 AM   #4
switon
macrumors 6502a
 
Join Date: Sep 2012
Concur...

Hi,

I concur with the above posts, your Mac mini should be acting as a firewall between the university and your private LAN subnet, setup using pfctl and afctl. Sharing should be restricted to your LAN subnet. You should also be running firewalls on all machines on your private LAN.

Switon
switon is offline   0 Reply With Quote
Old Nov 21, 2012, 09:31 AM   #5
lilabila
Thread Starter
macrumors member
 
Join Date: Mar 2011
Thank you for your suggestions. I'm running 10.8, not the Server.
My head is exploding right now after several days of excessive research, can you please assist me in doing it?

The uni LAN is in 172.x.x.x.x, my private is in 10.0.0.x
lilabila is offline   0 Reply With Quote
Old Nov 21, 2012, 10:36 AM   #6
switon
macrumors 6502a
 
Join Date: Sep 2012
RE: exploding heads and the server...

Quote:
Originally Posted by lilabila View Post
Thank you for your suggestions. I'm running 10.8, not the Server.
My head is exploding right now after several days of excessive research, can you please assist me in doing it?

The uni LAN is in 172.x.x.x.x, my private is in 10.0.0.x
Hi lilabila,

Now we wouldn't want to have to scrape brains off the ceiling, would we?

You can do what you wish to do without the Mac OS X Server, but to actually make it secure and flexible and convenient, you really should use the Server software. Yes, I know it is $20, but it is only $20.

To do without the Server.app, we would have to use numerous terminal commands setting up firewall rules, generating SSL certificates, and so forth, running the risk of exploding your head, something we've agreed would be nice to avoid if possible.

With Mac OS X Server running on your Mac mini, you would setup its DNS service to provide reasonable names for the machines on your LAN, such as "MyMBP.private", "LaserPrinter.private", "InkJet.private", "Sig-OthMBP.private", "Macmini.private", etc. Once DNS is setup, you could then start OD (Open Directory) if you wish to allow all or your computers and users to have networked logins from your LAN. You would also setup the VPN server on the Mac mini so that you can reach your LAN from outside (e.g., from the Internet). VPN then allows you to "login" to your LAN from anywhere in the world and use the resources as if you were sitting at home (such as using a shared disk or printer). The Mac mini's firewall, or your router, will keep everyone out except for those allowed to VPN into your LAN from the outside. You could also think about using the server's DHCP server and especially the RADIUS server for authentication, authorization, and accounting on your LAN thereby providing further security.

The Mac OS X Server is nothing to be afraid of using, it is designed to be "nearly" a single button click to start any service you wish to run.

...just some ideas...

Switon
switon is offline   0 Reply With Quote
Old Nov 21, 2012, 12:24 PM   #7
lilabila
Thread Starter
macrumors member
 
Join Date: Mar 2011
Thank you very much for your message, switon! I really appreciate you trying to help me!

Since I started the whole thing, the Server.app was the very first thing I tried and it totally messed up everything, there was no Internet connection at all, and I had to reinstall a new System because it's damages were irreversible. I was bitterly disappointed of it.

I tried so many different methods, after that I was looking into setting up a bridged connection from the wifi through the mini to the Airport Base Station and couldn't really manage it to get to work at all.
Then I set several VM's (debian, ubuntu server, Windows 7, Snow Leopard Server) and tried to connect the wifi directly to the vm and use it as somethig like a pseudo firewall. Unfortunately I couldn't connect the wifi to the machine, I don't know why. Since I couldn't use establish a bridge to the AEB, I can't do this to any VM either...


I really would love create a true bridge connection, so that the signal captured of the wifi is completely flowing through the mini to the destination without touching anything in the mini at all.

In the last days I was also learning so may thing related to networking, like how to calculate CIRC Notation etc.. IP4 & IP6 setups.. so many things about OS X's limitations, Watterroof and Ice.. (forgot it's name) Firewall, Routing tables etc. etc. then additionally learning linux from scratch ... my head really hurts, I feel like Nietzsche in the beginning of his last 10 years

Anyway I'm not afraid of the terminal, I can use it, but don't really know what exactly to insert in this specific case...

If you can give me some little assistance I'll surely can manage it!

Thank you very much!
lilabila is offline   0 Reply With Quote
Old Nov 21, 2012, 01:14 PM   #8
switon
macrumors 6502a
 
Join Date: Sep 2012
RE: Server...

Dang that Server.app! Yeah, I hear you...it can be frustrating and head exploding. I'm impressed that you thought about trying to use a VM to make one connection and another VM for the other connection --- very imaginative! I'm also impressed that you were learning Linux at the same time ---

I believe there are a couple of tutorials/primers for setting up the Mac OS X Server. I would recommend that you sit down with one of these (they are not long) and read through it before attempting anything else. I think you will be much more confident once you have read one of the tutorials, and then you won't have the disaster you had the first time you tried setting up Mac OS X Server. Believe it or not, in the long run this will be a much better solution for your problem.

Regards,
Switon

P.S. You do want the mini to act as the firewalling gateway between the uni LAN and your private LAN. Since you have an ABS, you can use the Airport Utility tool to setup the router to funnel VPN to the mini server. The mini server will do RADIUS, DHCP, DNS, OD, and VPN for you.

Last edited by switon; Dec 1, 2012 at 11:35 PM. Reason: ...removal of personal irrelevant information...
switon is offline   0 Reply With Quote
Old Nov 21, 2012, 03:31 PM   #9
lilabila
Thread Starter
macrumors member
 
Join Date: Mar 2011
Oh, such kind words from a pro like you? That's indeed motivating thank you!

You've convinced me in trying to setup the server.app …once again. For the sake of my head maybe.
I'll report how it's working out then.
However since going into all this Linux stuff I really feel attracted to debian

P.S. The mini is already acting as a firewalling gateway very well. The other devices are shielded from the uni LAN behind the AEP and all internet connectiivity is through the mini. The only problem is that the mini itself is not only in the private LAN but also in the UNI LAN with several hundreds of other clients and I can't turn on sharing on the mini therefore.
Wait…now I think you wanted to say something different… ok I get you now! Forget my last statement if it's irrelevant. I'll do the server and report how it's working out!

Thank you for your precious advice!
lilabila is offline   0 Reply With Quote
Old Nov 21, 2012, 03:54 PM   #10
switon
macrumors 6502a
 
Join Date: Sep 2012
Re: X-spurt...

Good luck with the Server.app,
Switon

P.S. Of course you know that Mac OS is just a highly modified version of unix, just like linux.

Last edited by switon; Dec 1, 2012 at 11:33 PM. Reason: ...removed personal info...
switon is offline   0 Reply With Quote
Old Nov 25, 2012, 08:11 AM   #11
lilabila
Thread Starter
macrumors member
 
Join Date: Mar 2011
Ok, I didn't get to make it...
For me it seems it is as tricky as my root problem

Thank you anyway for your guidance!
lilabila is offline   0 Reply With Quote

Reply
MacRumors Forums > Apple Systems and Services > OS X > Mac OS X Server, Xserve, and Networking

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 07:47 PM.

Mac Rumors | Mac | iPhone | iPhone Game Reviews | iPhone Apps

Mobile Version | Fixed | Fluid | Fluid HD
Copyright 2002-2013, MacRumors.com, LLC