Using Your New NetBSD Firewall/Router
Booting and Configuration:
- To startup your firewall/router, just plug it in and hit
the power button on the rear of the Mac. It will boot up and configure the
network interfaces automatically.
- Default settings for the firewall are as follows:
- A 'root' account has been created with a blank password.
A 'user' account has been created with a password 'pass' to allow you to
login using telnet. Change the passwords using the "passwd username"
command as soon as possible, especially if your Mac is connected to the
- The ae0 interface is configured by default and assigned
an IP address of 192.168.1.2.
- The DHCP server is running on the ae0 interface,
the internal interface that will eventually become your new internet gateway.
It will automatically assign addresses between 192.168.1.3 and 192.168.1.15
to any machine which connects to that interface. You can edit /etc/dhcpd.conf
to add more assignable IPs.
- The ae1 interface is assigned an IP address of 192.0.0.2.
This will be your external interface to the outside world. Edit /etc/ifconfig.ae1
to assign it the IP address given to you by your ISP. If it is dynamically
assigned, read on.
- IP filter is running on the ae1 interface
with this ruleset. All internet traffic
is blocked by default unless you open it. Change the filter settings to
suit your needs by editing /etc/ipf.conf. No inbound traffic is allowed
through the ae1 interface by default. Use ipfrestart to make
the new rules take effect. Be careful editing ipf.conf, as you could lock
yourself out of your own machine!!!
- IP NAT is operational on ae1 and maps
192.168.1.0/24 on ae0 to 0.0.0.0/32 on ae1 and vice versa. This is adequate
for any IP address assigned to ae1, so you should not have to change it.
- Only telnetd, httpd(Apache 1.3.12) and sshd services are
running, everything else is disabled. You can edit inetd.conf for
other basic services or rc.local for sshd. Use rc.local to
add daemons run at the user level, like rrlogind.
- Support for Road Runner cable modems is provided
by rrlogind. Run rrconf to setup your configuration and then
edit /etc/rc.local to run rrlogind at startup.
- Support for PPPoE is included for some DSL users,
but is still experimental. Run adsl-setup to configure ae1
- Login to the machine as root using an ssh client like NiftyTelnet
to make configuration changes. No password is required until you change
it using "passwd root". Optionally, you can use a Telnet
application with the user account and use "su root" to make
- Reboot your machine by typing "reboot" once your
are done configuring the interfaces. To shutdown the machine use "shutdown
-p now" as root. This will poweroff your Mac.
- This instruction sheet is available online through the Apache
Web Server running on your firewall. It is only accessable through the internal
ae0 interface. Just type 192,168.1.2 into your web browser.
Using Your Firewall:
- To get a quick UNIX overview, take a look at my quickguide.
This will explain some basic commands and give some idea of how to use your
firewall/router in a home network setting.
- To firewall/route your traffic using a high speed connection
such as a cable modem or DSL line you need to set the external interface for
your particular situation. In all cases this will probably require you to
plug your cable modem or dsl modem into the external interface, ae1,
and to edit the IP address in /etc/ifconfig.ae1.
Typical settings are:
- Add the nameserver IP addresses given to you by
your internet provider to /etc/resolv.conf in the format shown
in the file.
- Static IP from DSL or cable provider - requires
editing of IP address in /etc/ifconfig.ae1 and a reboot
of the firewall.
- Dynamic IP from DSL or cable provider - requires
removal of the /etc/ifconfig.ae1 file and enabling of the dhcp
client in /etc/rc.conf as shown below where ae1 is your external
dhclient=YES # behave as a DHCP client
dhclient_flags="ae1" # blank: config all interfaces
- If your DSL provider uses PPPoE, use adsl-setup
to configure your connection. Then you can use adsl-start and adsl-stop
to bring your connection up and down. To automate the process at boot
time, add adsl-start to /etc/rc.local.
- If you are using the Road Runner cable modem service
you will need to run rrconf to set your username, password, and
Road Runner server name. Then, edit /etc/rc.local to start the
rrlogind at boot time. Reboot your firewall by typing "reboot".
- Once you have the external interface operational, test it
by trying to access a known website using the lynx text based web browser
(i.e. lynx http://www.apple.com). If this fails, check the file /etc/resolv.conf
to insure that you have a nameserver IP address entered. If this fails, email
me at firstname.lastname@example.org. If successful,
move to the next step.
- Connect the internal interface of your firewall to a network
hub. Connect any computers, Mac or PC, to this hub. On each machine you want
to share the connection, enable DHCP, with 192.168.1.2 as the host,
to obtain an IP address between 192.168.1.3 and 192.168.1.15 from your
firewall. Each machine will be assigned an IP automatically by your firewall.
The DHCP server will automatically assign 192.168.1.2 as your new gateway.
You're Done. Start sharing your secured bandwidth!!!
Questions or Problems: Please Send Me An Email