NAT Routing Setup
||Type of Product:
Mac OS X Server 10.3
Issue: Firewall blocks outgoing as well as incoming traffic
Solution: Set up Firewall rules to trust all traffic on the
Using NAT routing on Mac OS X Server v10.3 requires that the Firewall be
enabled. But the firewall rules apply to (and potentially block) all
packets coming into the server, including those that're merely passing
through on their way to the outside world. So, if (for example) you
don't have a rule enabling traffic to port 80 (http), any computer on
the internal network will not be able to access external web servers on
the internet, because the external servers are being "protected"
by the firewall's configuration. This is probably not what you want.
Fortunately, it's easy to fix, as long as you trust the computers on
your internal network (i.e. you aren't worried about protecting your
server from attack from the inside). You just need to build a firewall
rule that allows all traffic on the server's internal ethernet port(s).
First, you need to find out the unix-style names of the internal
port(s). The easiest way to do this is generally with the Network
utility's Info pane; it'll let you list the statistics for each of your
network interfaces by unix name (en0, en1, fw0, etc) -- look at the IP
Address(es) for each one to find out which ones are the "inside"
port on your NAT router (note: if you aren't sure what to look for, just
look for addresses starting with "10." or "192.168."
-- these are reserved for private internal use, and generally indicate
the "inside" of NAT).
For each "internal" port you found, create a rule in the
Advanced pane of Server Admin's Firewall module. It should look like
this (with the name of your "internal" port in place of
Then enable the rule(s) (they'll probably be the only
"Allow" rules that aren't checked), and all should be wonderful.
This Document Prepared By Gordon Davisson on 8/30/04