Configure Interfaces

The Interfaces Tab in IPNetSentryX allows you to select which IP interfaces should have IP Filters applied and whether they are used as "Internal" or "External" interfaces. The later setting helps IPNetSentryX make better choices for testing. When you select an IP interface for filtering and turn "IPNetSentryX On", a Network Kernel Extension (NKE) is inserted in the corresponding link stream to perform the actual IP filtering.

Ethernet Bridging

Ethernet Bridging is a technique for passing traffic between two Ethernet like devices such as Ethernet and AirPort. Although you can buy a hardware bridge inexpensively, the advantage of Ethernet bridging in software is that you can still use the firewall to filter or log packets and you can extend any wired Ethernet segment to AirPort wireless without regard to IP addresses our routing.

Example 1: suppose you have an AirPort base station connected to a cable modem which provides Internet access to other computers in your home. By enabling Ethernet bridging on one of those computers, any devices attached to the Ethernet port on that computer (such as a printer or pre-AirPort Macintosh) becomes part of your Local Area Network. No additional routing or network address translation is required.

Example 2: suppose you already have a router that connects your LAN to the Internet and want to insert a firewall between that router and the Internet. With Ethernet bridging, you can simply plug a Mac with two Ethernet ports into any cable segment to insert a firewall.

To enable Ethernet bridging, select the Ethernet compatible network ports you want to bridge under the "Bridge" column in the Interfaces table. Although bridging does not require an IP address to be assigned, Mac OS X may not retain a network port as active unless it is configured with an IP address in the Network Preferences Panel.

Automatic Failover

IPNetSentryX allows you to specify a second gateway or router address to use as a backup in case the first default gateway (router address in the Network Preferences Panel) becomes unavailable. You can enter a 2nd gateway in the Gateways column separated by a comma. If you have a cable modem and DSL line from different ISPs for example, you can make one the default route and designate the other as an alternate gateway.

If a connection attempt or DNS lookup is retransmitted twice and doesn't get a response through the first gateway, it will automatically fail over to try the alternate gateway (by installing a host route on the fly).

If more than half of the connection table has failed over, IPNetSentryX will install the alternate gateway as a new default route.

The effect is that connections fail over transparently on the fly before the original connection attempt even times out. If the gateway is completely dead, the default route is updated to point to the gateway that is working. The second ISP connection provides transparent redundancy for improved reliability.

Source Aware Routing

If you are providing a service like web or ftp and have more than one ISP connection, you can allow requests to arrive from either ISP on the corresponding IP address. When connections requests arrive on either link, the response is automatically routed back out the corresponding link overriding the default gateway if needed.

What Is An IP Interface?

The concept of a network interface can be confusing to people new to networking terminology so it may help to clarify exactly what we mean by this. When we talk about "PPP over Ethernet" (PPPoE) for example, is this a PPP interface or an Ethernet interface? [Answer: it's a PPP interface typically identified as "ppp0" to the IP routing layer.]

From outside the computer, a network interface may appear to be the Ethernet jack or internal modem, but these are more accurately described as network ports or devices. Within the computer, an IP interface is a data structure specifying various interface attributes like its IP address and mask and some code for handling messages associated with that structure. Thus a single port can have more than one IP interface. What's significant is that an interface defines a protocol, a set of messages that we're interested in, and some code for processing them. In practical systems, parts of the data structure that defines an IP interface may be implemented in more than one place. Some in the IP layer of the BSD stack, some in the Network Preferences Panel (System Configuration Framework), and some in Extensions that provide other services such as IP filtering, Network Address Translation, PPP (Point-to-Point Prococol), or secure communcation using PPTP or IPSec.

Within Mac OS X, the part of the IP interface data structure defined in the IP layer of the BSD stack is identified by a device name (such as "en0" or "ppp0") while the part defined in the System Configuration framework is identified by a Service ID (a so called UUID or Universal Unique Identifier such as: "FF414B0D-87ED-11D8-B1D9-000A95EEE352"). Since these UUIDs are machine specific and rather long, IPNetSentryX adopts a notation used by other UNIX systems of identifying additional IP interfaces on the same physical port by appending an index as in "en0:1" to to form a unique Interface ID. In this example "en0:1" indicates the second IP interface on en0 with the first interface being "en0:0" (which is abbreviated as just "en0"). Internally IPNetSentryX uses the corresponding device name or UUID as needed for communicating with other system components. The purpose of these "Interface IDs" is simply to correllate the separate pieces of the IP interface data structure wherever they appear.

The Network Preferences Panel also provides a "User Name" for each network service, but at the time of this writing, these User Names are not available to 3rd party applications like IPNetSentryX. IPNetSentryX displays the Interface Name as the Port Name followed by the Device Name in parentheses (both of which you can edit) and a unique Interface ID as described above. By convention, "en0" (Ethernet 0) is used for Ethernet Built-in, while "en1" is used for AirPort or the first PCI Ethernet card if there is one. "ppp0" is used for the first PPP device which could be associated with a modem or PPPoE. "lo0" refers to the loopback interface used for interprocess communication.

Since Apple is free to enhance the IP interface data structure as defined in the Network Preferences Panel (System Configuration Framework), the Interface panel in IPNetSentryX does not try to emulate or replace the Network Preferences Panel, but rather works along side it to provide additional interface attributes.

If you change locations in the Network Preferences Panel, IPNetSentryX may interpret new interfaces as ones being added to the previous configuration and assign them new InterfaceIDs. To have IPNetSentryX rescan the entire list of available interfaces, press the "Refresh List" button.

Specifying a Range of IP Addresses

The concept of routing packets based on their corresponding range of IP addresses is central to the design of the Internet and has evolved over time resulting in several different terms and notations being used.

A "subnet mask" or "prefix length" is just a convenient shorthand for specifying a range of IP addresses. An IP address can be represented as a 32-bit binary number. To define a range of addresses, we divide these 32-bits into a network part and a host part. The subnet mask or prefix length tells us where the split occurs. If our gateway machine is assigned a local address of and we want to indicate that this is from a range of 256 addresses, we can write this as where the "/24" is the prefix length and indicates that the first 24-bits are used as the network part. Alternativey, we can specify a subnet mask of which effectively says the same thing. The Subnet Calculator tool in IPNetSentryX is useful for converting between IP address ranges, subnet masks, prefix lengths, network numbers, and host numbers.

A range of IP addresses defined by a subnet mask is sometimes called an "IP subnet". Some references use the term "network mask" in place of subnet mask. Historically, subnet masks were not required to be contiguous (all 1's follow by all 0's), but this practice is discouraged and no longer widely used because it was less efficient. As the Internet expanded, the need to keep routing and address assignment as efficient as possible became more important. Specifying network ranges as an IP address and prefix length is the preferred technique adopted by the next generation of Internet Protocols, and is sometimes referred to as "CIDR notation" (Classless Inter-Domain Routing).

Previous | Next | Return to IPNetSentryX Help