Modifying Apple's pf.conf

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Modifying Apple's pf.conf

Kevin Ingwersen
Hey everyone!

I am sitting here with the following situation:

I just had to reinstall my OS X a while ago. Currently, this Mac Mini was used as a NAT router. It uses its Wifi to connect to the dorms internet, and is supposed to dish the data thru its ethernet port:

        Dorms Wifi —> Mac Mini —> Airport Express in bridge mode —> iPhone, Macbook, etc

The reason why I need this is that the dorms enforces a rule, which allows only one Mac address to be registered with their router. So in order to grant access to more devices, I need to use a NAT router. But here comes the tricky part. At some time, I wish to use a broadband dongle to offer the internet. Previously, I used the following dirty configuration file to manage that kind of „switching“ connection:


nat on en1 from en0:network to any -> (en1)
nat on en2 from en0:network to any -> (en2)
nat on ppp0 from en0:network to any -> (ppp0)
pass in from any to any
pass out from any to any


You can tell, I never used pfctl before, and only needed a dirty but working way of being able to switch my currently nat’ed internet… x)

But here is the problem.
With the new OS X update, the configuration files for pfctl changed. Which means, I am in a loss again.

So the pf.conf file now looks like this:


scrub-anchor "com.apple/*"
nat-anchor "com.apple/*"
rdr-anchor "com.apple/*"
dummynet-anchor "com.apple/*"
anchor "com.apple/*"
load anchor "com.apple" from "/etc/pf.anchors/com.apple“


When I try to append a similar block, but pointing to /etc/pf.anchors/SUBnet instead, I get syntax errors about the order of rules…so I am confused for good.

How do I add the „dirty“ hack from above into my pf.conf in order to keep NATing my internet?
Oh yeah, and Internet Sharing on OS X is broken. the dhcp service used does not dish out a proper lease, meaning that Non-Apple clients are doomed.

Hope you can help me :)

Kind regards,
Ingwie
Loading...