Can I setup Mac mini as a LAN wide firewall?

Discussion in 'Macintosh Computers' started by ChrisH3677, Feb 9, 2005.

  1. ChrisH3677 macrumors 6502a

    Joined:
    Oct 6, 2003
    Location:
    Victoria, Australia
    #1
    I would like to use the Mac mini as a firewall on our network.

    But my understanding is a firewall needs two network cards (NICs) .

    - One to the internet on an external IP address

    - The second to the internal LAN on its private address range.

    Is getting a USB NIC the only way around this? Or is there some safe way to make the single NIC drive both IP addresses?

    Also, any recommendations on firewall software? Is the OS X one good enough for this purpose?

    thanks
     
  2. edesignuk Moderator emeritus

    edesignuk

    Joined:
    Mar 25, 2002
    Location:
    London, England
    #2
    I'd get a small form factor Compaq/Dell off eBay and put SmoothWall on it.
     
  3. relimw macrumors 6502a

    Joined:
    May 6, 2004
    Location:
    SC
    #3
    Or better yet, just get a Linksys befvp41 they're around $110 and do everything you need. Very good little boxes to have.
     
  4. ChrisH3677 thread starter macrumors 6502a

    Joined:
    Oct 6, 2003
    Location:
    Victoria, Australia
    #4
    You guys are suprisingly objective! Are you sure there's no Mac solution?
     
  5. Mitthrawnuruodo Moderator emeritus

    Mitthrawnuruodo

    Joined:
    Mar 10, 2004
    Location:
    Bergen, Norway
    #5
    Have you read this?

    It should be possible to run a mini with only darwin, and a firewall... with a usb-network-card in addition to the built-in...
     
  6. Hoef macrumors 6502a

    Hoef

    Joined:
    Jul 11, 2004
    Location:
    Houston, TX..... (keep walking)
    #6
    We try to spend capital wisely ;)
     
  7. relimw macrumors 6502a

    Joined:
    May 6, 2004
    Location:
    SC
    #7
    Oh there's a mac solution, he'll just need another network card. For a firewall tho, I'd prefer a dedicated piece of hardware. Software-only firewalls tend to have several problems.

    To me, it just sounds like he's trying to rationalize his desire to buy a Mac mini :)
     
  8. relimw macrumors 6502a

    Joined:
    May 6, 2004
    Location:
    SC
    #8
    Or spend $100 and have a piece of hardware you'll never need to reboot ever again and you'll still have the Mac mini to play games on :)
     
  9. varmit macrumors 68000

    varmit

    Joined:
    Aug 5, 2003
    #9
    I would say no because there is only one nic card.
     
  10. daveL macrumors 68020

    daveL

    Joined:
    Jun 18, 2003
    Location:
    Montana
    #10
    Macs or PCs are not good candidates for firewalls, unless you *really* know what you're doing and *really* craft a bare bones OS install for a *dedicated* solution, i.e. you only use it for a firewall/router (there's nothing left on the box for general purpose use - no GUI, etc.). Spend the small amount of $$ on a dedicated fw/router.
     
  11. ChrisH3677 thread starter macrumors 6502a

    Joined:
    Oct 6, 2003
    Location:
    Victoria, Australia
    #11
    Doh! Found out! Too true - am looking for any excuse to get a Mac at work. :D
     
  12. Mitthrawnuruodo Moderator emeritus

    Mitthrawnuruodo

    Joined:
    Mar 10, 2004
    Location:
    Bergen, Norway
    #12
    Yeah, I know, but it's what he asked for... and it would be a cool little $550 firewall... ;)
     
  13. Cuckoo macrumors 6502

    Joined:
    May 2, 2003
    Location:
    The Netherlands - Utrecht
    #13
    What you could do is build like a router on a stick. In order to get it working, have a switch, with 2 vlans, and a tunk-port.... connect your mini-mac to the trunc port, have two ip-adresses assigned to the ethernet interfac and you're ready to go.
    Assigning two ip adresses to your ethernet interface is somethign that i believe mac os won't let you do, but im certain that the BSD core has a way of doing this.

    This is a technical solid way to do it. Which software you sould use, i'm not sure, im more of a networking guy.....
     
  14. ChrisH3677 thread starter macrumors 6502a

    Joined:
    Oct 6, 2003
    Location:
    Victoria, Australia
    #14
    There is another reason I want to do this... I want to show that Macs can do anything Linux can do. And the Mac mini makes it affordable to experiment with.
     
  15. relimw macrumors 6502a

    Joined:
    May 6, 2004
    Location:
    SC
    #15
    Ok, well, if you can do it with linux, you can do it with the mini. Prolly use the exact same setup and software. I've personally never used one ether interface and assigned two IPs to it, so I have no idea how to do that without some research.

    The low cost is the main reason my mini is on order. I've need a good development machine to run developer releases of the OS on for some time. I've been a little afraid of late to install the beta releases Apple has been putting out since one of them took my machine offline (10.2.7 I think).
     
  16. ChrisH3677 thread starter macrumors 6502a

    Joined:
    Oct 6, 2003
    Location:
    Victoria, Australia
    #16
    This link is really really useful. Thanks
     
  17. varmit macrumors 68000

    varmit

    Joined:
    Aug 5, 2003
    #17
    But a bottle neck will happen at the USB Nic. Where as two gigabit ethernet cards on any PC or Mac can offer much better bandwidth speed. Of course you will either have to set the PC up as just a firewall using the fire Linux suggested above (smoothwall), or use a Mac, which could have more abilities. Such as ease of use of setting the firewall and other services. It could also double as something that could be used in a crises (such as a PC virus making it though the firewall by email and all the PCs are going nuts.) Even just a mini setup as a backup, that is if you have the money, is a good idea when the company gets hit hard with something it could not prevent.
     
  18. jeremy.king macrumors 603

    jeremy.king

    Joined:
    Jul 23, 2002
    Location:
    Fuquay Varina, NC
    #18
    Assuming your ISP plan is faster than 11Mbps.
     
  19. daveL macrumors 68020

    daveL

    Joined:
    Jun 18, 2003
    Location:
    Montana
    #19
    So your routing all LAN traffic in AND out of the *same* interface (2 IPs)? Performance and latency would suck, big time.

    If you're doing this as a learning experience, great, but I'd never deploy your FW on my network. I'm not trying to be an ass, really.

    Also, if you're going to build a FW, FreeBSD/Mach (the open source core of OS X) is were you want to start, not OS X per se. As I said above, a FW needs to be devoid of any extra software that doesn't directly contribute to its intended function (GUI, apps etc.), since anything extra offers potential security holes into the FW.
     

Share This Page