Installing and Configuring Your Firewall/Router
Required Mac Hardware:
Any 68K Macintosh listed here
with a FPU (floating-point unit), a 80 MB hard drive or larger, 8 MB of
RAM and two 10Base-T ethernet interfaces. The ethernet interfaces may consist
of two Nubus ethernet cards or a built-in ethernet interface and one Nubus
ethernet card. Built-in ethernet interfaces became popular on the Quadra
series. A monitor, keyboard and mouse are required for the installation
process only since most Macs will run headless.
- My personnal recommendations include the following Macintoshes: IIx, IIcx,
IIci, IIsi, Q650, Q700, Q800, Q660AV, Q840AV. Each is very stable with NetBSD
and meet most of the hardware requirements in there standard configuration.
Other machines on the list should work just fine, I just don't have hands-on
experience with them.
- Most people will need to get an extra ethernet card or two. Nubus ethernet
card prices vary between $5 and $15 on the auction sites. I recommend using
as I have had great success with the used Mac products I've purchased.
- External storage space for the 15 MB firewall installation archive.
Get the disktools
image to allow you to partition your Macs hard drive. You will want
to partition the hard drive to include at least a 50 MB NetBSD Root&Usr
partition and a 16 MB swap partition. Follow the instructions in my install
guide on how to do this.
Make sure you have the latest tar
archive. You will need about 15 MB of disk space to store the archive.
I have used external hard drives or ZIP disk drives for this purpose and
they work fine. If you have enough room on the Mac partition of your hard
drive you may use it instead.
- Following the partitioning
and formatting of your drive, use the NetBSD
installer to extract the firewall archive to your NetBSD partition. This
process may take 30 minutes on slower Macs, so it might be time for a coffee
- DO NOT BUILD THE DEVICES USING THE INSTALLER, it's already been done in
- Once the archive has been extracted, you are ready to boot
your Mac into NetBSD.
Booting and Configuration:
- Default settings for the firewall are as follows:
Pay close attention to the boot messages that appear on the screen while
your machine is starting up. Depending on your ethernet interfaces available
on you Mac you may see messages containing ae0, ae1, sn0, sn1, mc0. These
are your network interfaces as NetBSD sees them. Typing the command "dmesg"
will also list these interfaces.
Login to the machine as root to make configuration changes. No password
required until you change it using "passwd root".
If required, change your internal interface by typing " mv /etc/ifconfig.ae0
/etc/ifconfig.xx0" at the command prompt, where xx can be sn or mc.
Set your DHCP server on this interface by editing /etc/rc.conf and changing
the following line where xx0 is the name of your internal interface as defined
in step 4:
- A 'root' and 'user' account have been created with blank passwords. Change
the passwords using the "passwd username" command as soon
as possible, especially if your Mac is connected to a network.
- The ae0 interface is configured by default and assigned an IP address
of 192.168.1.2. You can change the interface name later if you don't have
- The DHCP server is running on the ae0 interface, your internal interface
that will eventually become your new internet gateway. It will automatically
assign addresses between 192.168.1.3 and 192.168.1.15 to any machine which
connects to that interface.
- The ae1 interface is assigned an IP address of 192.0.0.1. This will be
your external interface to the outside world.
- IP filter is running on the ae1 interface with this ruleset.
Everything is blocked by default unless you open it. Change the filter setting
to suit your needs as only HTTP and SSH traffic are allowed through by default.
- IP NAT is operational on ae1 and maps 192.168.1.0/24 on ae0 to 0.0.0.0/32
on ae1 and vice versa.
- Only telnet and ssh services are running, everything else is disabled.
- Support for PPPoE is included for some DSL users, but is still experimental.
dhcpd=YES dhcpd_flags="-q xx0"
If required, change your external interface by typing " mv /etc/ifconfig.ae1
/etc/ifconfig.xx1" at the command prompt, where xx can be sn or mc.
If you changed your external interface name, you will have to change your
IP NAT settings by editing the /etc/ipnat.conf file. You only need to change
ae1 to the name of your external interface using the "xx1" format.
Replace the two instances of ae1.
If you changed your external interface name you will also need to change
the IP filter settings. Edit /etc/ipf.conf and change all "ae1"
values to the value of your external interface.
Reboot your maching by typing "reboot" once your are done configuring
Using Your Firewall:
- To get a quick overview, take a look at my quickguide.
This will explain some basic commands and give some idea of how to use your
- To firewall/route your traffic using a high speed connection such as a cable
modem or DSL line you need to set the external interface for your particular
situation. In all cases this will probably require you to plug your cable
modem or dsl modem into the external interface and to edit the IP address
in /etc/ifconfig.xx1, where xx is ae, sn, or mc. Typical settings are:
- Static IP from cable or DSL provider - requires editing of IP address
in /etc/ifconfig.xx1 and reboot.
- Dynamic IP from DSL or cable provider - requires removal of the /etc/ifconfig.xx1
file and enabling of dhcp client in /etc/rc.conf as shown below where
xx1 is your external interface name:
dhclient=YES # behave as a DHCP client
dhclient_flags="xx1" # blank: config all interfaces
- If your DSL provider uses PPPoE, you probably have to set the external
interface to something like 192.0.0.1 and enable PPPoE. Your username
and password should be stored in /etc/ppp/pap-secrets. Edit this file
and replace email@example.com with your username and password
with your password. To start PPPoE type "pppoe xx1 firstname.lastname@example.org"
where xx1 is your external interface. The file /usr/bin/startdsl can also
be edited to simplify the process.
- If you are using the Road Runner service you will need to get the login
daemon from here. Read the instructions on
how to configure it.
- Once you have the external interface operational, test it by trying to access
a known website using lynx (i.e. lynx http://www.apple.com). If this fails
check the file /etc/resolv.conf to insure that you have a nameserver IP address
entered. If this fails, email me at email@example.com.
If successful, move to the next step.
- Connect the internal interface of your firewall to a network hub. Connect
any computers, Mac or PC, to this hub. On each machine you want to share the
connection, enable DHCP, with 192.168.1.2 as the host, to obtain an IP address
between 192.168.1.3 and 192.168.1.15 from your firewall. Each machine will
be assigned an IP automatically by your firewall. The DHCP server will automatically
assign 192.168.1.2 as your new gateway. You're Done. Start sharing your secured
Questions or Problems: Please Send Me An Email