Return to Getting Started


Building Your Own Low Cost Firewall

We've all heard the term "firewall" to describe making a network more secure, but what does this mean? Aren't Internet firewalls supposed to be complicated and expensive? With the recent addition of IP Filtering, IPNetRouter becomes a very capable firewall router. This page explains the basic firewall concept and how you can use IPNetRouter to implement a firewall.

"Firewall" is actually a generic term for a mechanism that enforces an access policy. The basic building blocks of network firewalls are IP routers with filtering and proxy servers.

A "classic" firewall configuration uses two routers with a "Bastion Host" between them. One or more proxy servers on the Bastion Host selectively authenticate and log specific requests. Since IPNetRouter runs as software on a Macintosh, you can combine the routing, filtering, and proxy function in a single machine.

Consider a Macintosh with two Ethernet interfaces (E0 and E1). IPNetRouter provides full IP filtering on each Ethernet interface, and routing between them. Here's a simple block diagram:


IPNetRouter provides one kind of built-in proxy service (Network Address Translation). Network Address Translation prevents access from the public Internet to a private LAN, while still allowing hosts on the private LAN to access the public Internet. Depending on what kind of firewall you want, you may need to provide additional servers on the gateway machine. To understand how Network Address Translation works, refer to the Inbound Port Mapping page.

Here is another firewall example. We are assuming that our Internet connection is via the built-in ethernet port and our private LAN is connected to the slot 1 ethernet port.

Starting from the block diagram above we can configure the IP filters as follows:

  1. Set the filter on the Internet side to block any inbound packets whose source IP address matches the network number used for our LAN and the gateway itself. This insures any packets received by the gateway with the source IP address from our LAN must have come from our LAN (no IP spoofing from the public Internet is allowed).
  2. Set the filter on the Internet side to block any outgoing packets that don't originate from the gateway itself (source IP address must match the IP address of the gateway).
  3. Similarly, set the filter on the LAN side to block any outbound packets that don't originate from the gateway.
  4. Set the filter on the LAN side to block any inbound packets that are not from our LAN (source IP address does not match the network number of our LAN). This prevents machines on our LAN from trying to use a different network number (IP spoofing), and also prevents packets from our LAN being forwarded to the Internet since the filter on the Internet side will only pass packets that originate from the gateway, not from our LAN.

With this setup, no traffic can be routed directly between the Internet and our LAN. It must pass through a server on the gateway and then be resent from the gateway itself (only the gateway is allowed to originate traffic in both directions).

By putting a mail server on the gateway, hosts on our LAN and hosts on the public Internet can both send and receive email from this server, but can never talk to each other directly. We can now post company information on our "Intranet" using web servers on the LAN. The public Internet will never be able to see these servers since they are behind our firewall.

Here's what this setup might look like using IPNetRouter. Suppose we have been assigned a static IP address of by our ISP, and will use IP addresses from the range 192.168.0.x for our LAN. The filters described above can be specified as follows.

(NOTE: the list window above has been expanded to show all 8 filters at once).

The address is used on E0 (Ethernet Built-in) attached to the public Internet.
We use on E1 (Ethernet Slot 1) attached to our LAN.

Filters are invoked from TOP to BOTTOM. Hence the strategy is to first add a filter which BLOCKS all traffic on a specific interface, then add a PASS filter which will permit specific connections (datagrams). This is typically refered to as "punching a hole" into a firewall.

How does this work? Let's examine the filter order as seen by IPNetRouter:

Filter Order (top to bottom)

The first filter PASSes all packets RECEIVED on our slot 1 ethernet port which originated from our private subnet (only machines in our subnet).

Net Result of Filters 1 & 2: Only client machines connected through the slot 1 port within our designated subnet can use the IPNetRouter gateway.


2nd Filter: All other RECEIVED packets on this slot 1 interface are BLOCKed.


3rd Filter: This filter PASSes all packets SENT from the gateway onto the private LAN.

Net Result of Filters 3 & 4: Only packets originating from the gateway machine can be SENT out to our client machines.


4th Filter: All other packets SENT out of the gateway onto the private LAN to any other machine are BLOCKed.


5th Filter: This filter permits the gateway machine to SEND packets out to the Internet over the built-in ethernet port.

Net Result of Filters 5 & 6: Only packets originating from the gateway machine can be SENT out to the Internet.


Filter: All other packets SENT out of the gateway to the Internet are BLOCKed.


This filter BLOCKs all packets from the Internet which claim to originate from the same IP address as our gateway.

Net Result of Filter 7: Our gateway has a unique, public IP address. No other packets received should have this same IP address...if so, BLOCK them.


This filter BLOCKs any packets received from the public Internet that claim to originate from our private LAN (

Net Result of Filter 8: Our private subnet is strictly reserved to be used by client machines connected through the Slot 1 interface. All external attempts to use the gateway from a machine on the Internet and having an IP address within our private subnet will be BLOCKed.

Filtering is performed before Network Address Translation (NAT) for transmitted datagrams, and after NAT for received datagrams. This allows you to filter on the "Actual LAN Address" as opposed to the "Apparent Gateway Address".

A More Practical Firewall for users with a Static IP Address

If you carefully followed the example above, you will note that this is an absolute firewall. Not only will it prevent outside users from getting in to your LAN, but it will also prevent any client machines from getting out to the Internet! This is the way most good network administrators start building a firewall:

1. First prevent all access.

2. Then permit any specific access on a case by case basis (commonly called "punching holes in a firewall").

Most users of IPNetRouter, however, want all client machines to have access to the Internet, while preventing any intrusions into their client machines or unauthorized use of their router (i.e. spoofing). If you followed the example above, and understand the net results of invoking all of the eight filters, you will see that the way to let our client machines to access the Internet is to remove filter lines 3, 4, 5 and 6 of the above example.

This is what the IP Filtering window would look like (once again assuming the fixed IP address you have been assigned is

A More Practical Firewall for users with a Dynamic IP Address

Cable modem users are often assigned a dynamic IP address (through DHCP from their ISP), but still want the protection of a firewall while letting all their client machines access to the Internet. In this case, we simply replace the filter with the fixed IP address (second line from the bottom) with an entry for a dynamic IP address. To do this, just enter in the Source Net edit box. Your IP Filtering window should appear similar to this:

And if you really want to be a stickler....

There is one additional filter which can be added to the top of each of the above examples which will even further secure your private LAN. Most of the time this is not necessary, since most users of IPNetRouter are also the administrator of their own small private LAN. This filter simply ensures that no one else on the private LAN is claiming to be the gateway machine (which is not an easy thing to do anyway...since you would have to spoof packets). This filter would look like this:

With this filter, all packets RECEIVED on the slot 1 interface and claiming to be from (our IPNetRouter address) would be BLOCKed.

But, as mentioned previously, if you are in control of all the machines on your private LAN, there is very little use or need for this additional filter.

Building a Firewall and using the DHCP Server within IPNetRouter

If you are using the DHCP server within IPNetRouter to dynamically assign IP addresses on your private LAN, then you have to add yet one more PASS filter to any of the above examples. The reason is that we are BLOCKING all incoming packets into the Slot 1 ethernet interface which are not originating from the local subnet...and our client machines do not yet have an IP address in this subnet range (remember, these client machines are using DHCP to get an IP address assigned to them).

To remedy this, we add the following filter which permits incoming DHCP discover and request messages:

This filter PASSes all UDP protocol port 68 messages (DHCP negotiation messages) which are received on our internal ethernet interface so that the DHCP server within IPNetRouter can handle them.


It's a Wrap

Firewalls don't have to be complicated or expensive. A firewall is simply a mechanism for enforcing an access policy. The first step in choosing a firewall is to consider what access policies you wish to enforce. Using IPNetRouter, you can turn an existing Mac into a rock solid firewall router...for a lot less $ than any other commercial hardware based firewall router.

Just remember: first BLOCK...then PASS (and you only have to enter PASS filters when you want to punch holes in your Firewall).

There's lots of information about "firewalls" available on the web. Visit your favorite web search engine for more information.

Copyright 1998 by Sustainable Softworks.