|Nov 19, 2012, 12:14 PM||#1|
Special Network Security Problem
Since trying to solve this problem for some days now I'd like to ask you and hope you can help me.
I'm living next to my university and can use it's wifi network for internet. On my desk is a mac mini which establishes the connection and shares it via a USB Ethernet Adapter to an Airport Extreme Base Station.
The AE creates it's my own LAN where some devices can connect to the internet and sharing is active because. All devices are protected from the university network except the mac mini.
The mac mini is actually connected to 2 different LAN's now.
Unfortunately I don't know how I can protect the mini from the university LAN when sharing is enabled and the firewall is turned off for my own LAN.
The mini is connected via ethernet to the AEB btw as well
I appreciate any thought or suggestions!
For better understanding is this schematic:
Internet -- LAN(uni) -- Mac Mini -- VPN -- Ethernet(USB) -- Airport -- LAN(private) -- All Devices
In the optimal case I desire that no client of the LAN(uni) can establish a connection to any of my computers and that it is used for internet use only and all devices can securely share in LAN(private) without being attacked, especially the mac mini.
Thank you for reading
|Nov 20, 2012, 12:34 AM||#2|
Turn on the firewall
It seems to me all you really need is a firewall running on your mac mini that only allows stateful connections between the uni LAN and your internal LAN. What version of OS X are you running? I think since Tiger or Leopard, it ships with ipfw. Mountain Lion and possible Lion also ship with pf. Both are excellent firewalls that can accomplish what you need.
11" Macbook Air, 1.8 GHz i7, 4GB RAM, 256 GB SSD; lost my 32 GB iPhone 4, now using Blackberry Bold (great for work!)
Last edited by jahala; Nov 20, 2012 at 12:40 AM. Reason: grammar error
|Nov 20, 2012, 07:20 AM||#4|
I concur with the above posts, your Mac mini should be acting as a firewall between the university and your private LAN subnet, setup using pfctl and afctl. Sharing should be restricted to your LAN subnet. You should also be running firewalls on all machines on your private LAN.
|Nov 21, 2012, 09:31 AM||#5|
Thank you for your suggestions. I'm running 10.8, not the Server.
My head is exploding right now after several days of excessive research, can you please assist me in doing it?
The uni LAN is in 172.x.x.x.x, my private is in 10.0.0.x
|Nov 21, 2012, 10:36 AM||#6|
RE: exploding heads and the server...
Now we wouldn't want to have to scrape brains off the ceiling, would we?
You can do what you wish to do without the Mac OS X Server, but to actually make it secure and flexible and convenient, you really should use the Server software. Yes, I know it is $20, but it is only $20.
To do without the Server.app, we would have to use numerous terminal commands setting up firewall rules, generating SSL certificates, and so forth, running the risk of exploding your head, something we've agreed would be nice to avoid if possible.
With Mac OS X Server running on your Mac mini, you would setup its DNS service to provide reasonable names for the machines on your LAN, such as "MyMBP.private", "LaserPrinter.private", "InkJet.private", "Sig-OthMBP.private", "Macmini.private", etc. Once DNS is setup, you could then start OD (Open Directory) if you wish to allow all or your computers and users to have networked logins from your LAN. You would also setup the VPN server on the Mac mini so that you can reach your LAN from outside (e.g., from the Internet). VPN then allows you to "login" to your LAN from anywhere in the world and use the resources as if you were sitting at home (such as using a shared disk or printer). The Mac mini's firewall, or your router, will keep everyone out except for those allowed to VPN into your LAN from the outside. You could also think about using the server's DHCP server and especially the RADIUS server for authentication, authorization, and accounting on your LAN thereby providing further security.
The Mac OS X Server is nothing to be afraid of using, it is designed to be "nearly" a single button click to start any service you wish to run.
...just some ideas...
|Nov 21, 2012, 12:24 PM||#7|
Thank you very much for your message, switon! I really appreciate you trying to help me!
Since I started the whole thing, the Server.app was the very first thing I tried and it totally messed up everything, there was no Internet connection at all, and I had to reinstall a new System because it's damages were irreversible. I was bitterly disappointed of it.
I tried so many different methods, after that I was looking into setting up a bridged connection from the wifi through the mini to the Airport Base Station and couldn't really manage it to get to work at all.
Then I set several VM's (debian, ubuntu server, Windows 7, Snow Leopard Server) and tried to connect the wifi directly to the vm and use it as somethig like a pseudo firewall. Unfortunately I couldn't connect the wifi to the machine, I don't know why. Since I couldn't use establish a bridge to the AEB, I can't do this to any VM either...
I really would love create a true bridge connection, so that the signal captured of the wifi is completely flowing through the mini to the destination without touching anything in the mini at all.
In the last days I was also learning so may thing related to networking, like how to calculate CIRC Notation etc.. IP4 & IP6 setups.. so many things about OS X's limitations, Watterroof and Ice.. (forgot it's name) Firewall, Routing tables etc. etc. then additionally learning linux from scratch ... my head really hurts, I feel like Nietzsche in the beginning of his last 10 years
Anyway I'm not afraid of the terminal, I can use it, but don't really know what exactly to insert in this specific case...
If you can give me some little assistance I'll surely can manage it!
Thank you very much!
|Nov 21, 2012, 01:14 PM||#8|
Dang that Server.app! Yeah, I hear you...it can be frustrating and head exploding. I'm impressed that you thought about trying to use a VM to make one connection and another VM for the other connection --- very imaginative! I'm also impressed that you were learning Linux at the same time ---
I believe there are a couple of tutorials/primers for setting up the Mac OS X Server. I would recommend that you sit down with one of these (they are not long) and read through it before attempting anything else. I think you will be much more confident once you have read one of the tutorials, and then you won't have the disaster you had the first time you tried setting up Mac OS X Server. Believe it or not, in the long run this will be a much better solution for your problem.
P.S. You do want the mini to act as the firewalling gateway between the uni LAN and your private LAN. Since you have an ABS, you can use the Airport Utility tool to setup the router to funnel VPN to the mini server. The mini server will do RADIUS, DHCP, DNS, OD, and VPN for you.
Last edited by switon; Dec 1, 2012 at 11:35 PM. Reason: ...removal of personal irrelevant information...
|Nov 21, 2012, 03:31 PM||#9|
Oh, such kind words from a pro like you? That's indeed motivating thank you!
You've convinced me in trying to setup the server.app …once again. For the sake of my head maybe.
I'll report how it's working out then.
However since going into all this Linux stuff I really feel attracted to debian
P.S. The mini is already acting as a firewalling gateway very well. The other devices are shielded from the uni LAN behind the AEP and all internet connectiivity is through the mini. The only problem is that the mini itself is not only in the private LAN but also in the UNI LAN with several hundreds of other clients and I can't turn on sharing on the mini therefore.
Wait…now I think you wanted to say something different… ok I get you now! Forget my last statement if it's irrelevant. I'll do the server and report how it's working out!
Thank you for your precious advice!
|Nov 21, 2012, 03:54 PM||#10|
Good luck with the Server.app,
P.S. Of course you know that Mac OS is just a highly modified version of unix, just like linux.
Last edited by switon; Dec 1, 2012 at 11:33 PM. Reason: ...removed personal info...
|Thread Tools||Search this Thread|
|thread||Thread Starter||Forum||Replies||Last Post|
|File security while working in shared network||tokolosh||Mac Basics and Help||10||Mar 27, 2014 09:37 AM|
|Security Problem||LadySunshine||MacBook Pro||5||Mar 23, 2014 06:56 PM|
|Airport Guest Network Security||Davmeister||Mac Peripherals||7||Feb 6, 2014 12:53 PM|
|Change network security||cclloyd||Mac Basics and Help||1||Jun 7, 2013 11:04 PM|
|Can network security type impact connection?||c073186||Mac Basics and Help||2||May 20, 2013 07:10 PM|
All times are GMT -5. The time now is 10:58 AM.