Some Firewall Basics

[hembeck]

Hello all,

I'm trying to understand OS X's firewall and have hit a bit of a wall. I think I need some Networking 101.

Basically this all started because I wanted to see which would be better/easier to use: OS X's firewall or my DSL modem/gateway/router's firewall. But I started getting confused when I did the 'Shield's up' test at http://www.grc.com.

That test show's that the IP address as being completely different from what is shown in the Sharing panel of System Preferences. I concluded that the network address is just what the name implies: An address that is accessable on the LAN, not from the outside world. If my conclusion is right, how would determine what my IP address, as 'seen' by the world is?

Okay, next bit of confusion came when I opened up ports using the the Firewall panel. I opened up FTP and HTTP. The port scanner test at grc.com (and Symantec) still showed that my computer was in stealth mode, even though these ports are open. I double-checked the DSL modem's firewall, and that was off, so it could not have been blocking the ports.

So I guess my questions for now are: How do I determine -- using the Terminal?? -- what my true IP address is? What is happening that my computers ports are all in 'stealth' -- not even closed --and can not be opened??

Thanks,
Fernando

[fat elvis]

not sure if you ever use WhatIs, but go there and search for NAT. That should provide some more insight into the ip address mystery

Another site you might find helpful is MyIP?. That will display your "internet ip"

as for the "stealthy" ports I'm not sure.

[davewalcott]

If your Mac has an address starting with 192.168. or 10., then you're behind a device (probably DSL modem or broadband gateway) that's doing network address translation (NAT). In this case, regardless of any other "firewall" settings, your computers local IP will not be seen by any devices on the WAN side of your NAT device. That said, you can allow certain incoming services like http or ftp by setting up port forwarding (aka "Pinholing" on some Cayman TCP routers) on your NAT device, but it needs to be done on the device doing the NAT, not on some other LAN firewall device.

As fat elvis said, to see your public IP (i.e. what shows up in a webserver log file when you visit a site), try whatismyip.com.

As for "stealth mode," that probably means you're behind a NAT device.

[hembeck]

Thanks, it's becoming clearer. I'll read up on NAT.

So the firewall -- either OS X or the gateway's firewall -- only comes into play if someone manages to get past NAT?? But if NAT is pretty much keeping me invisible, how could they see my computer in the first place?

-Fernando

[davewalcott]

Quote: Originally Posted by hembeck So the firewall -- either OS X or the gateway's firewall -- only comes into play if someone manages to get past NAT?? But if NAT is pretty much keeping me invisible, how could they see my computer in the first place?

They can't (although it depends a bit on what you mean by "see"). "They" are seeing your NAT device, which is why NAT boxes make a great security device.

[hembeck]

Quote: Originally Posted by davewalcott They can't (although it depends a bit on what you mean by "see"). "They" are seeing your NAT device, which is why NAT boxes make a great security device.

Okay, I gotcha. So any configuration of ports in and out need to be done on the NAT device, in my case the DSL modem/gateway that my ISP provided.

Thanks everyone, this has been a great help.

-Fernando