Secure travelling with ipfw on OS X?

Dear (mac/bsd) Lazyweb,

Any idea how I can do the following, on Mac OS X?

iptables -t nat -A PREROUTING -p tcp -d my.pop.server —dport 110 -j DNAT —to-destination 127.0.0.1:1235
iptables -t nat -A OUTPUT -p tcp -d my.pop.server —dport 110 -j DNAT —to-destination 127.0.0.1:1235

Does ipfw(8) work in OS X? What magic will I have to use for this to work? All I really want is for my.pop.server:110 to point to localhost:1235, so if the SSH tunnel isn’t up, I can’t POP my mail. I wrote about this in Secure travelling tips with iptables and SSH port forwarding, as that’s what I do on Linux.

Why do I ask? I’m thinking that my personal laptop (currently a Dell Inspiron 640m running Linux) might actually be replaced with a MacBook Air in the near future (lighter, easier to carry, etc.). Oh, if you have comments about the Air, don’t hesitate to tell them to me as well.

12 Comments

  1. Anynomous says:

    xxs-computer:/Users/xx root# ip
    ip6 ip6fw ipcrm ipf-mod.pl
    ip6config ipconfig ipcs ipfw

    xxs-computer:/Users/xx root# ippfw -h
    ipfw syntax summary (but please do read the ipfw(8) manpage):
    ipfw [-acdeftTnNpqS] where is one of:
    add [num] [set N] [prob x] RULE-BODY
    {pipe|queue} N config PIPE-BODY
    [pipe|queue] {zero|delete|show} [N{,N}]
    set [disable N… enable N…] | move [rule] X to Y | swap X Y | show

    RULE-BODY: check-state [LOG] | ACTION [LOG] ADDR [OPTION_LIST]
    ACTION: check-state | allow | count | deny | reject | skipto N |
    {divert|tee} PORT | forward ADDR | pipe N | queue N
    ADDR: [ MAC dst src ether_type ]
    [ from IPADDR [ PORT ] to IPADDR [ PORTLIST ] ]
    IPADDR: [not] { any | me | ip/bits{x,y,z} | IPLIST }
    IPLIST: { ip | ip/bits | ip:mask }[,IPLIST]
    OPTION_LIST: OPTION [OPTION_LIST]
    OPTION: bridged | {dst-ip|src-ip} ADDR | {dst-port|src-port} LIST |
    estab | frag | {gid|uid} N | icmptypes LIST | in | out | ipid LIST |
    iplen LIST | ipoptions SPEC | ipprecedence | ipsec | iptos SPEC |
    ipttl LIST | ipversion VER | keep-state | layer2 | limit … |
    mac … | mac-type LIST | proto LIST | {recv|xmit|via} {IF|IPADDR} |
    setup | {tcpack|tcpseq|tcpwin} NN | tcpflags SPEC | tcpoptions SPEC |
    verrevpath

    welcome to mac.. :)

  2. byte says:

    Hi anonymous!

    I was hoping someone had a solution that didn’t involve me reading a man page and actually futzing with options…

  3. Matt says:

    If you are looking at the SSD Mac Air ( http://store.apple.com/133-622/WebObjects/australiastore.woa/9284021/wo/P16kZB5H7TjL23pQNJIXPmEmW5b/2.?p=0 ) — and I would over a very slow 4200RPM based disk, you may wish to consider an IBM/Lenovo Thinkpad X300. ( http://www-604.ibm.com/webapp/wcs/stores/servlet/CategoryDisplay?storeId=10000036&catalogId=-36&langId=36&categoryId=4611686018425111790&seriesid=2060574&referer=4611686018425096207&productId=4611686018425491953 )

    Why? It’s got everything the MacAir does… (small, light, SSD) and even better comes with an Ethernet port (which the Mac Air doesn’t!)

    It’s also quite a bit cheaper. (Around $540 AUD ).

    Only downside — the MacAir ships with a 1.8Ghz chip, whilst the X300 ships with a 1.2Ghz CPU. (Both are Intel Core Duo 2s).

    However, you can use Linux on the X300 (it works extremely well like almost every Thinkpad). So that is a big plus. :)

    Food for thought. :-)

  4. James says:

    As well as the X300, you might want to look at the Toshiba Portege R500.

  5. kjusupov says:

    Seems that the author is trying to address the similar problem…

    http://www.applematters.com/article/using-ssh-secure-tunnels-for-the-common-man-part-i/

  6. byte says:

    @kjusupov: The tunnel itself is no problem… that can be done. its the ipfw part, which I can do easily in iptables, but am wondering how to do so in ipfw…

  7. byte says:

    Thanks James and Matt. I am seriously looking at the Air because its lightweight, and it runs OS X… good for laptop use. I’m tired of suspend/resume woes, non-working wireless on occasion, and the presentation hell of various projectors.

  8. kjusupov says:

    @byte: yeah, same problem with me… I got wifi around my place, and would be cool to have all my mail traffic (maybe even some of http) go through ssh…

  9. byte says:

    @kjusupov: It can be done, if you configure your mail client to point to localhost:1234 (for example), and then do an SSH forward. This implies that you will always have to start up an SSH tunnel to collect mail, even when you’re on say, wired Ethernet

    HTTP? Easy. ssh -D is your friend. I’ve blogged about this before… SOCKS proxy works like a charm.

    Its just rewriting instances of mail.some.server to localhost:port, because I don’t want to change the settings in the mail client everytime..

  10. kjusupov says:

    @byte: actually the same issue… I don’t wanna change my mail settings everytime…

  11. karl says:

    Maybe another option would be to use pop3s?

    If yes, you may try to tweak “Read local Unix mail in Mail.app”,

    https://codesnippets.joyent.com/posts/show/1392

    cheers


i