Like many folks I have a wireless gateway which provides Internet connections for all the computers in my house.
I also have this box where I have installed Ubuntu, which only has an Ethernet card, thus I cannot get to the Internet. I could if I would be on the same room as my wireless gateway because it has some wired ethernet ports, but this computer along with several others, is in another room, so I am out of luck.
Now, I do have an old mini-hub around so I said: Piece of cake! I will share the wireless Internet connection of another computer in the room, and connect both the sharing computer and the Ubuntu box to the old hub. That should do the trick.
I have shared internet connections using Windows and Linux, but I had never done it using OS-X. I love my Mac mini's quietness, which is why it is my main machine, so I will give it a try at sharing its connection.
The instructions on the Mac boil down to:
- Select Apple Menu / System Preferences / Internet & network / Sharing.
- On the sharing applet click on the Internet tab.
- Select the adapter you will be sharing the connection from -- In my case it is the Airport as it is the one that is connected to the wireless gateway.
- Select the port to share the connection to -- It is the built in ethernet, which I will connect to the old mini-hub.
Once I accept everything, OS-X warns me with a "!" saying: "Other settings may conflict with Internet sharing" and prompts me to click in a "More Info..." button.
I click and a dialog box informs me:
"Your firewall settings will prevent computers sharing
your internet connection from browsing the web.
Enable Personal Web Sharing in the Services pane to
allow computers sharing your connection to browse
the web."
Huhh?? I understand why the firewall settings may affect the connectivity of other users, but I do not understand what does the Personal Web server have to do with anything here?
I follow the recommendation, expecting that things will magically sort themselves out.
I now go to my Ubuntu box from where I want to be able to get to the internet
try things out and... bummer, it does not seem to be working.
Google time: "Internet connection sharing OS-X"... and... Just a ton of articles which lead me nowhere as they just restate what is in the Mac help.
Ok, so, time to put the troubleshooting shirt.
First the set of questions:
Q1: Is OS-X using a bridge a router or a NAT device to provide connectivity?
Q2: What does the personal web server have to do with allowing connections?
Q3: How does the OS-X firewall work? Can I do per interface firewalling?
In order to start understanding this, I open a terminal on the MAC as I want to find out the IP address of the ethernet card on the Mac mini, this is the one that should work as gateway (or router?) for the Ubuntu box. The logic goes: If it is a router or gateway, it will have an address in the private address range, typically 192.168.xxx.xxx. If it is a bridge, then there may not be an address.
ifconfig tells me the following:
en0: flags=8863
inet6 fe80::216:cbff:fea9:5a74%en0 prefixlen 64 scopeid 0x4
inet 169.254.84.190 netmask 0xffff0000 broadcast 169.254.255.255
inet 192.168.2.1 netmask 0xffffff00 broadcast 192.168.2.255
Hmmm... en0, which is the ethernet port has two addresses, one locally administered 169.254.xxx.xxx, and an address in the private range 192.168.2.1. So, the router must be using the address in the private range to perform the routing.
I go to the Ubuntu box, and it also does have a 192.168.2.xxx address.
Now, unfortunately 192.168.2 is the network I am also using on my wireless gateway, and it is the one which my airport is using for default gateway. So, no wonder I was not having connectivity from the Ubuntu box. The fix is easy, I need to go to my gateway and change it's address, which I move somewhere else, anything that is not sub-net 192.168.2. Once I have done this change, I get connectivity to the Internet from Ubuntu. Great!!
Still however, I do not understand what does the personal web server have to do with me allowing access to other computer to the Internet?....Think, think think...Idea: (Q4)May be OS-X in all its wisdom, in order to shield me from the complexities of networking is trying to tell me that in order to poke a hole for port 80 in the firewall I need to enable the personal firewall? and more questions:
Q5: Is OS-X using the personal firewall to manage all traffic through its firewall, or just port 80 traffic? I do not know how far magic goes, so it is a fair question.
This deserves some additional investigation, so I go to the Ubuntu box and navigate to a web site. Then I go to the Mac Mini and uncheck the personal web server. I switch back to the Ubuntu machine, try to navigate and yep, indeed, the personal web server is controlling my passage through the firewall. So, for now let's re-enable it on the Mac Mini.
Now I need to answer Q5: Is OS-X using the personal firewall to manage all traffic through its firewall, or just port 80 traffic?
So, I open a terminal window on the Ubuntu box and type:
ftp ftp.ibiblio.org
Nothing happens.
I go to the Mac mini and type the same to make sure that I am trying to get to a live ftp site, and indeed, it works from there. So Q5's answer is that the personal web server only controls access to the internet via port 80.
So now Q6: How do I enable access for other ports to go through the Mac Mini's OS-X gateway?
I see two alternatives: Turn off the firewall, which I won't do, or find another Mac service?
So, I go to the services tab on the Sharing applet on the Mac Mini and find "FTP Access". When I click it, the text under the start button says "Click Start to allow users of other computers to exchange files with this computer using FTP applications.". That seems cool, so I enable it, go back to the Ubuntu box and try to reconnect to ftp.ibiblio.org, and voila (or viola if you may) things are working.
Hmm, indeed OS-X seems to be merging the two concepts: Provision of a service with passage through the firewall under a single name. Now Q7: Is this so?
So, I go to the Ubuntu box and type the http://192.168.2.1 and yes indeed, I get an Apache web page there. Now, I do not like that much, because one thing is for me to want to go through a firewall, and another to have my Mac mini offer a Web service access point, using a Web server which I have no idea existed, and is an additional point of attack for viruses...So, Q8: Is there a way to enable a port in the firewall without enabling a service?
In order to find out this, I click on the firewall tab in the sharing applet, and see a "New..." button. I click it, hoping that may be, here is the answer. In order to try it, I define a new port by selecting "Other" in the Port name drop down menu, and the dialog box now offers TCP port number, UDP port numbers and a Description. I enter 80 in the TCP port number and "Port 80 forwarding" in the description. I then disable the personal web server, and go to the Ubuntu box and try to access the Web. The result: Success!!
So, what have I learned from all this?
1) OS-X uses a gateway which has a DHCP server and is preset to work on sub-net 192.168.2.
2) OS-X bundles together the concept of providing a service and providing passage through the firewall, however, you can split the two.
Anyway, hope this post helps whoever reads it.
