[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: MASQ/Firewall on a Mac?

 Kevin van Haaren wrote:

At 3:39 PM +0200 10/13/01, Michel Dänzer wrote:

On Sat, 2001-10-13 at 06:27, Michael D. Crawford wrote:

I'm thinking of setting up my Mac 8500 with Debian PowerPC to use it as a firewall and IP Masquerading server. Does this work OK, and are there any
 issues I should know about?

Like does the kernel support for this work OK on PowerPC, and have the user
 space utilities been ported to PowerPC?

Yes and yes. Such software shouldn't have any architecture dependencies
so they would be very badly written if they didn't work out of the box
in the first place.

The only caveat I would add is that if you want to use iptables instead of ipchains, you'll need to get a 2.4 kernel that works reliably on PowerPC. I have been using a stock 2.4.10 kernel on a C500 (603e chip) that seems to work pretty good (except for the AdvanSys scsi drivers). I don't run it as a masquerade/firewall box.

I've made it work under both 2.2 and 2.4 kernels. I'm not sure the 2.2.19 kernel_image deb in potato is configured properly, but the one in sid is.

If using 2.4, e.g. the 2.4.8-powerpc deb in sid (or newer, I haven't dselected in the last week), you just need to load the ipchains module using modconf (to make sure it loads at boot time).

Next, set up /etc/network/interfaces properly so you can ping machines on the internet and on your LAN.

Then with either kernel, just "apt-get install ipmasq" and your masquerading box will be set up with very conservative firewall rules. And it will restart when you reboot. If you use PPP, it will start and stop with each connect/disconnect. It's all automatic, including detection of which interface is on the internet. Yes, it's that simple. Isn't Debian great?

The only complication I've had is that it doesn't work properly with dhcpcd unless you configure it (using dpkg-reconfigure ipmasq) to run the ipmasq init.d script as late as possible, I think after network services. But it works fine either way with dhcp-client.


-Adam P.

GPG fingerprint: D54D 1AEE B11C CE9B A02B  C5DD 526F 01E8 564E E4B6

Welcome to the best software in the world today cafe! <http://lyre.mit.edu/%7Epowell/The_Best_Stuff_In_The_World_Today_Cafe.ogg>

Reply to: