NAT Routing Setup

Issue: Firewall blocks outgoing as well as incoming traffic

Solution: Set up Firewall rules to trust all traffic on the internal network

Details:
Using NAT routing on Mac OS X Server v10.3 requires that the Firewall be enabled. But the firewall rules apply to (and potentially block) all packets coming into the server, including those that're merely passing through on their way to the outside world. So, if (for example) you don't have a rule enabling traffic to port 80 (http), any computer on the internal network will not be able to access external web servers on the internet, because the external servers are being "protected" by the firewall's configuration. This is probably not what you want.

Fortunately, it's easy to fix, as long as you trust the computers on your internal network (i.e. you aren't worried about protecting your server from attack from the inside). You just need to build a firewall rule that allows all traffic on the server's internal ethernet port(s).

First, you need to find out the unix-style names of the internal port(s). The easiest way to do this is generally with the Network utility's Info pane; it'll let you list the statistics for each of your network interfaces by unix name (en0, en1, fw0, etc) -- look at the IP Address(es) for each one to find out which ones are the "inside" port on your NAT router (note: if you aren't sure what to look for, just look for addresses starting with "10." or "192.168." -- these are reserved for private internal use, and generally indicate the "inside" of NAT).

For each "internal" port you found, create a rule in the Advanced pane of Server Admin's Firewall module. It should look like this (with the name of your "internal" port in place of "en1"):

Then enable the rule(s) (they'll probably be the only "Allow" rules that aren't checked), and all should be wonderful.

This Document Prepared By Gordon Davisson on 8/30/04