• Any 68K Macintosh listed here with a FPU (floating-point unit), a 80 MB hard drive or larger, 8 MB of RAM and two 10Base-T ethernet interfaces. The ethernet interfaces may consist of two Nubus ethernet cards or a built-in ethernet interface and one Nubus ethernet card. Built-in ethernet interfaces became popular on the Quadra series. A monitor, keyboard and mouse are required for the installation process only since most Macs will run headless.
• My personnal recommendations include the following Macintoshes: IIx, IIcx, IIci, IIsi, Q650, Q700, Q800, Q660AV, Q840AV. Each is very stable with NetBSD and meet most of the hardware requirements in there standard configuration. Other machines on the list should work just fine, I just don't have hands-on experience with them.
• Most people will need to get an extra ethernet card or two. Nubus ethernet card prices vary between $5 and $15 on the auction sites. I recommend using Ebay as I have had great success with the used Mac products I've purchased.
• External storage space for the 15 MB firewall installation archive.

1. Get the disktools image to allow you to partition your Macs hard drive. You will want to partition the hard drive to include at least a 50 MB NetBSD Root&Usr partition and a 16 MB swap partition. Follow the instructions in my install guide on how to do this.
2. Make sure you have the latest tar archive. You will need about 15 MB of disk space to store the archive. I have used external hard drives or ZIP disk drives for this purpose and they work fine. If you have enough room on the Mac partition of your hard drive you may use it instead.
3. Following the partitioning and formatting of your drive, use the NetBSD installer to extract the firewall archive to your NetBSD partition. This process may take 30 minutes on slower Macs, so it might be time for a coffee break.
4. DO NOT BUILD THE DEVICES USING THE INSTALLER, it's already been done in the archive.
5. Once the archive has been extracted, you are ready to boot your Mac into NetBSD.

Booting and Configuration:

1. Default settings for the firewall are as follows:
• A 'root' and 'user' account have been created with blank passwords. Change the passwords using the "passwd username" command as soon as possible, especially if your Mac is connected to a network.
• The ae0 interface is configured by default and assigned an IP address of 192.168.1.2. You can change the interface name later if you don't have ae0.
• The DHCP server is running on the ae0 interface, your internal interface that will eventually become your new internet gateway. It will automatically assign addresses between 192.168.1.3 and 192.168.1.15 to any machine which connects to that interface.
• The ae1 interface is assigned an IP address of 192.0.0.1. This will be your external interface to the outside world.
• IP filter is running on the ae1 interface with this ruleset. Everything is blocked by default unless you open it. Change the filter setting to suit your needs as only HTTP and SSH traffic are allowed through by default.
• IP NAT is operational on ae1 and maps 192.168.1.0/24 on ae0 to 0.0.0.0/32 on ae1 and vice versa.
• Only telnet and ssh services are running, everything else is disabled.
• Support for PPPoE is included for some DSL users, but is still experimental.
  
2. Pay close attention to the boot messages that appear on the screen while your machine is starting up. Depending on your ethernet interfaces available on you Mac you may see messages containing ae0, ae1, sn0, sn1, mc0. These are your network interfaces as NetBSD sees them. Typing the command "dmesg" will also list these interfaces.
3. Login to the machine as root to make configuration changes. No password required until you change it using "passwd root".
4. If required, change your internal interface by typing " mv /etc/ifconfig.ae0 /etc/ifconfig.xx0" at the command prompt, where xx can be sn or mc.
5. Set your DHCP server on this interface by editing /etc/rc.conf and changing the following line where xx0 is the name of your internal interface as defined in step 4:

   dhcpd=YES dhcpd_flags="-q xx0"

6. If required, change your external interface by typing " mv /etc/ifconfig.ae1 /etc/ifconfig.xx1" at the command prompt, where xx can be sn or mc.
7. If you changed your external interface name, you will have to change your IP NAT settings by editing the /etc/ipnat.conf file. You only need to change ae1 to the name of your external interface using the "xx1" format. Replace the two instances of ae1.
8. If you changed your external interface name you will also need to change the IP filter settings. Edit /etc/ipf.conf and change all "ae1" values to the value of your external interface.
9. Reboot your maching by typing "reboot" once your are done configuring the interfaces.

Using Your Firewall:

• To get a quick overview, take a look at my quickguide. This will explain some basic commands and give some idea of how to use your firewall/router.
• To firewall/route your traffic using a high speed connection such as a cable modem or DSL line you need to set the external interface for your particular situation. In all cases this will probably require you to plug your cable modem or dsl modem into the external interface and to edit the IP address in /etc/ifconfig.xx1, where xx is ae, sn, or mc. Typical settings are:
  • Static IP from cable or DSL provider - requires editing of IP address in /etc/ifconfig.xx1 and reboot.
  • Dynamic IP from DSL or cable provider - requires removal of the /etc/ifconfig.xx1 file and enabling of dhcp client in /etc/rc.conf as shown below where xx1 is your external interface name:

  dhclient=YES # behave as a DHCP client
  dhclient_flags="xx1" # blank: config all interfaces

  • If your DSL provider uses PPPoE, you probably have to set the external interface to something like 192.0.0.1 and enable PPPoE. Your username and password should be stored in /etc/ppp/pap-secrets. Edit this file and replace b1aaaaaa@sympatico.ca with your username and password with your password. To start PPPoE type "pppoe xx1 b1aaaaaa@sympatico.ca" where xx1 is your external interface. The file /usr/bin/startdsl can also be edited to simplify the process.
  • If you are using the Road Runner service you will need to get the login daemon from here. Read the instructions on how to configure it.
• Once you have the external interface operational, test it by trying to access a known website using lynx (i.e. lynx http://www.apple.com). If this fails check the file /etc/resolv.conf to insure that you have a nameserver IP address entered. If this fails, email me at ewinkler@erols.com. If successful, move to the next step.
• Connect the internal interface of your firewall to a network hub. Connect any computers, Mac or PC, to this hub. On each machine you want to share the connection, enable DHCP, with 192.168.1.2 as the host, to obtain an IP address between 192.168.1.3 and 192.168.1.15 from your firewall. Each machine will be assigned an IP automatically by your firewall. The DHCP server will automatically assign 192.168.1.2 as your new gateway. You're Done. Start sharing your secured bandwidth.

Questions or Problems: Please Send Me An Email