[P1] SMC router setup

Mike Beede beede at visi.com
Wed May 7 06:30:19 PDT 2003


On Wednesday, May 7, 2003, at 05:08 US/Central, Joyce Ranieri wrote:

> I have a home network with the following configuration:
> a 600 MHz iBook with an airport card
> a new flat-panel 1GHz iMac connected via ethernet wire
> an older 400MHz iMac connected via ethernet wire
>
> All are on an SMC wireless router. Now my question -- How can I 
> configure the router so that the 1GHz iMac will be accessible "on the 
> road". I'd like to take some of the files off my laptop and leave them 
> on the home machine, then access them from work if needed. I know how 
> to get into the setup panel of the router by entering the internet 
> address -- what I don't understand is what to enter underneath the 
> public & private ports in order to "open" them. (I think that's the 
> correct word??)

You need to have a fixed IP address from your ISP.  This is the address
you put in for your router to use on the WAN side.  Next, you need to
pick a fixed IP for your iMac.  If you're dishing out addresses with
DHCP, just pick one that's outside that range.  For my SMC box,
192.168.2.2 would be such an address.  Set the Mac to use that.
You can still use DHCP to get router and DNS addresses--just choose
"Using DHCP With Manual IP Address".

Then, go the to router's advanced setup and choose firewall.  Make
sure it's enabled.  Then, there are two ways to go.  You can set up
the iMac as a DMZ machine, meaning it's accessible directly from the
net.  I don't recommend that.  The other way is to go to the NAT
page and map incoming services to the iMac.  The only one *I*
would map would be SSH, which will allow you to set up tunnels to
whatever other services you want to access securely.  You want to
map private TCP port 22 on 192.168.2.2 to public port 22 (that's
the way the screen is set up on my SMC).  Then enable SSH on the
iMac (in the Sharing control panel as Remote Login).  You should
now be able to SSH in from the net by going to your static IP
address.  Make sure you have a hard-to-guess password for *all*
your accounts on that box.

You can read the ssh man page to find out how to transfer files
(look under sftp) and tunnel things around.

The reason I don't recommend doing a DMZ machine is that a) you
need *two* static IPs--one for the router and one for the iMac.
The other, more important reason is that this exposes your
entire machine to attack, rather than the pretty-tough SSH service.

You can, of course, do the same thing to allow access to other
services, but exposing something like file sharing unless you
understand how to do it securely is asking for trouble (I don't,
by the way).  Once you have a static IP, the charming little
script kiddies will be scanning you regularly looking for holes.
And even Macs have holes turn up from time to time.  You don't
want to be sitting there between the time an exploit is produced
and Apple comes out with a new release that patches it up, even
if it's just a few weeks.

> Also, how can I assign a permanent IP address to that computer so that 
> it won't change w/ power outages or restarts?

The network control panel as noted above.

Regards,

	Mike



More information about the iBook mailing list