Secure travelling with ipfw on OS X?
Dear (mac/bsd) Lazyweb,
Any idea how I can do the following, on Mac OS X?
iptables -t nat -A PREROUTING -p tcp -d my.pop.server —dport 110 -j DNAT —to-destination 127.0.0.1:1235
iptables -t nat -A OUTPUT -p tcp -d my.pop.server —dport 110 -j DNAT —to-destination 127.0.0.1:1235
Does ipfw(8) work in OS X? What magic will I have to use for this to work? All I really want is for my.pop.server:110 to point to localhost:1235, so if the SSH tunnel isn’t up, I can’t POP my mail. I wrote about this in Secure travelling tips with iptables and SSH port forwarding, as that’s what I do on Linux.
Why do I ask? I’m thinking that my personal laptop (currently a Dell Inspiron 640m running Linux) might actually be replaced with a MacBook Air in the near future (lighter, easier to carry, etc.). Oh, if you have comments about the Air, don’t hesitate to tell them to me as well.
[…] http://www.bytebot.net/blog/archives/2008/05/27/secure-travelling-with-ipfw-on-os-x asks Hoosgot, […]
xxs-computer:/Users/xx root# ip
ip6 ip6fw ipcrm ipf-mod.pl
ip6config ipconfig ipcs ipfw
xxs-computer:/Users/xx root# ippfw -h
ipfw syntax summary (but please do read the ipfw(8) manpage):
ipfw [-acdeftTnNpqS] where is one of:
add [num] [set N] [prob x] RULE-BODY
{pipe|queue} N config PIPE-BODY
[pipe|queue] {zero|delete|show} [N{,N}]
set [disable N… enable N…] | move [rule] X to Y | swap X Y | show
RULE-BODY: check-state [LOG] | ACTION [LOG] ADDR [OPTION_LIST]
ACTION: check-state | allow | count | deny | reject | skipto N |
{divert|tee} PORT | forward ADDR | pipe N | queue N
ADDR: [ MAC dst src ether_type ]
[ from IPADDR [ PORT ] to IPADDR [ PORTLIST ] ]
IPADDR: [not] { any | me | ip/bits{x,y,z} | IPLIST }
IPLIST: { ip | ip/bits | ip:mask }[,IPLIST]
OPTION_LIST: OPTION [OPTION_LIST]
OPTION: bridged | {dst-ip|src-ip} ADDR | {dst-port|src-port} LIST |
estab | frag | {gid|uid} N | icmptypes LIST | in | out | ipid LIST |
iplen LIST | ipoptions SPEC | ipprecedence | ipsec | iptos SPEC |
ipttl LIST | ipversion VER | keep-state | layer2 | limit … |
mac … | mac-type LIST | proto LIST | {recv|xmit|via} {IF|IPADDR} |
setup | {tcpack|tcpseq|tcpwin} NN | tcpflags SPEC | tcpoptions SPEC |
verrevpath
welcome to mac.. :)
Hi anonymous!
I was hoping someone had a solution that didn’t involve me reading a man page and actually futzing with options…
If you are looking at the SSD Mac Air ( http://store.apple.com/133-622/WebObjects/australiastore.woa/9284021/wo/P16kZB5H7TjL23pQNJIXPmEmW5b/2.?p=0 ) — and I would over a very slow 4200RPM based disk, you may wish to consider an IBM/Lenovo Thinkpad X300. ( http://www-604.ibm.com/webapp/wcs/stores/servlet/CategoryDisplay?storeId=10000036&catalogId=-36&langId=36&categoryId=4611686018425111790&seriesid=2060574&referer=4611686018425096207&productId=4611686018425491953 )
Why? It’s got everything the MacAir does… (small, light, SSD) and even better comes with an Ethernet port (which the Mac Air doesn’t!)
It’s also quite a bit cheaper. (Around $540 AUD ).
Only downside — the MacAir ships with a 1.8Ghz chip, whilst the X300 ships with a 1.2Ghz CPU. (Both are Intel Core Duo 2s).
However, you can use Linux on the X300 (it works extremely well like almost every Thinkpad). So that is a big plus. :)
Food for thought. :-)
As well as the X300, you might want to look at the Toshiba Portege R500.
Seems that the author is trying to address the similar problem…
http://www.applematters.com/article/using-ssh-secure-tunnels-for-the-common-man-part-i/
@kjusupov: The tunnel itself is no problem… that can be done. its the ipfw part, which I can do easily in iptables, but am wondering how to do so in ipfw…
Thanks James and Matt. I am seriously looking at the Air because its lightweight, and it runs OS X… good for laptop use. I’m tired of suspend/resume woes, non-working wireless on occasion, and the presentation hell of various projectors.
@byte: yeah, same problem with me… I got wifi around my place, and would be cool to have all my mail traffic (maybe even some of http) go through ssh…
@kjusupov: It can be done, if you configure your mail client to point to localhost:1234 (for example), and then do an SSH forward. This implies that you will always have to start up an SSH tunnel to collect mail, even when you’re on say, wired Ethernet
HTTP? Easy. ssh -D is your friend. I’ve blogged about this before… SOCKS proxy works like a charm.
Its just rewriting instances of mail.some.server to localhost:port, because I don’t want to change the settings in the mail client everytime..
@byte: actually the same issue… I don’t wanna change my mail settings everytime…
Maybe another option would be to use pop3s?
If yes, you may try to tweak “Read local Unix mail in Mail.app”,
https://codesnippets.joyent.com/posts/show/1392
cheers