IP Sharing - how does it work?

[Peter KERR]

I haven't yet found a reasonable description of the mechanism, beyond
the dire warnings of what it might do to your network, and the simple
instructions to turn it ON or OFF.

My situation is on a LAN with full campus management of subnets and
firewalling, and volume based metering of traffic per IP number.
Computers have different levels of access to the world, some have none,
and all with traffic loading potential are "registered" to a real
person. This is for billing any excess traffic over quota, and for
tracking virus, intrusion, etc incidents.

I have minor admin rights over our local subnet. Often I find myself at
a machine with blocked access, but I want to check a distant web page,
or download software.

So, can I share my desktop IPnr (MacOS 10.2.6) with just a few specified
clients, or would it be easier to run a proxy server on my machine?

[Bob Harris]

In article <user-0DEFDC.09574715082003@scream.auckland.ac.nz>,
Peter KERR <user@host.domain> wrote:

> I haven't yet found a reasonable description of the mechanism, beyond
> the dire warnings of what it might do to your network, and the simple
> instructions to turn it ON or OFF.
>
> My situation is on a LAN with full campus management of subnets and
> firewalling, and volume based metering of traffic per IP number.
> Computers have different levels of access to the world, some have none,
> and all with traffic loading potential are "registered" to a real
> person. This is for billing any excess traffic over quota, and for
> tracking virus, intrusion, etc incidents.
>
> I have minor admin rights over our local subnet. Often I find myself at
> a machine with blocked access, but I want to check a distant web page,
> or download software.
>
> So, can I share my desktop IPnr (MacOS 10.2.6) with just a few specified
> clients, or would it be easier to run a proxy server on my machine?

Many things are possible, but unless you create an isolated network that
only connects to your Mac via a 2nd ethernet card or maybe an Airport, I
would advise against enabling IP sharing on your Mac.

The general idea of internet sharing is that one ethernet port on your
Mac or your modem is connected to an internet service provider. Via a
separate networking port, your Mac is also connected to a local network
(like some attached systems in your home, or in a small office). None
of these other systems are connected in anyway to the ISP (where ISP in
this case is your campus network).

When you enable IP sharing, the Mac will use the IP addresses 10.*.*.*
for your private little network. The network addresses 10.*.*.* and
192.168.*.* are reserved for private networks and are not allowed on the
Internet because they are not unique. In fact there are most likely
several 100 thousand or milliions of systems out there with IP addresses
of 10.0.1.2 and 192.168.0.2 all sitting on private networks.

The router (in this case your Mac) will setup a NAT server that takes
requests from your private systems and changes their IP address to its
own IP address and assigns it a unique IP port number when it sends the
request out to the internet via the ISP. When responses come back to
that port number, the NAT server will change the request back to the
originating sytsems IP address and originating port number and route the
reply back to the originating system.

Because the system your Mac is sharing its IP address with, have private
network IP addresses, these systems can not be sitting on anything that
is directly connected to the internet as those private IP addresses
would cause problems in general.

So I suspect that for your setup, you do not have a private little
network with your Mac acting as the router, so you should not enable
Ineternet sharing on your Mac.

----

Now you may be able to get what you want by using a port forwarding
server on your Mac, or running a VNC server on your Mac and a VNC client
on the other systems you visit.

Bob Harris

[Peter KERR]

In article <harris-0E1A93.19201514082003@juggl7.zk3.dec.com>,
Bob Harris <harris@zk3.dec.com> wrote:

>
> When you enable IP sharing, the Mac will use the IP addresses 10.*.*.*
> for your private little network. The network addresses 10.*.*.* and
> 192.168.*.* are reserved for private networks and are not allowed on the
> Internet because they are not unique. In fact there are most likely
> several 100 thousand or milliions of systems out there with IP addresses
> of 10.0.1.2 and 192.168.0.2 all sitting on private networks.
>
> The router (in this case your Mac) will setup a NAT server that takes
> requests from your private systems and changes their IP address to its
> own IP address and assigns it a unique IP port number when it sends the
> request out to the internet via the ISP.

Yes this is how the OS-X server does it. Or rather it assumes that you
have already assigned private numbers, and it prefers that these are on
a second interface, but not necessarily. In our case 10.*.*.* numbers
are "safe" to coexist with real nrs because our building switch is
configured to not propagate them any further. But all machines already
have real Class B(?) nrs (yeah I know, a waste if they're not actually
out there:-(

What Apple don't explain is, does the OS-X client use the same NAT
mechanism as the server? If so then I guess I can set up & configure
ipfw from the terminal. What I want is for one or two other clients to
have their port 23 & 80 traffic which is blocked at our campus firewall,
NATed to use my IP nr. No attempt here to defraud or bypass security...