Deprecated “natd” and “ipfw” in Yosemite – Can someone help with the workaround pleas

[ada-lovelace]

Hi guys,

Tunnelblick/OpenVpn doesn’t play nice with internet connection sharing in mac osx. There was a suggestion on a workaround on how to route all traffic over VPN as per this post:

http://rodrigo.sharpcube.com/2010/06/20/using-and-sharing-a-vpn-connection-on-your-mac/

The script is:

#!/bin/sh

natd -interface tun0
ipfw -f flush
ipfw add divert natd ip from any to any via tun0
ipfw add pass all from any to any
sysctl -w net.inet.ip.forwarding=1

I am not a linux expert – So I am just wondering if anyone can help me with the alternative for the above deprecated commands please?


Many thanks in advance.

 

[ada-lovelace]

[MOD]

I think I've posted in a wrong forum - maybe move this to Mac Programming?

 

[dyn]

The replacement for ipfw would be pf. From what I know, pf has its own NAT support (previously on FreeBSD you had to install natd separately, with pf you don't). I think the sysctl line still applies, the other lines are ipfw lines that need to be converted to pf. This might be helpful: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-pf.html Also, take a look at "The book of pf" by Peter Hansteen.

 

[ada-lovelace]

The replacement for ipfw would be pf. From what I know, pf has its own NAT support (previously on FreeBSD you had to install natd separately, with pf you don't). I think the sysctl line still applies, the other lines are ipfw lines that need to be converted to pf. This might be helpful: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-pf.html Also, take a look at "The book of pf" by Peter Hansteen.

Thanks for the guidance. That's helpful. Appears to be an almost straightforward substitution for ipfw-pf.

The natd however, I'm still trying to make sense of it :-/

 

[dyn]

IPFW didn't do NAT at all, for that you needed something else: natd. PF, on the other hand, does NAT all by itself. The only thing you need is the following:

nat on $ext_if from $localnet to any -> ($ext_if)

In this case $ext_if is the variable that contains your external interface (internet), $localnet is the variable that contains the internal interface (lan). The name of these variables is something you can choose freely. See chapter 30.3.3.1 from the FreeBSD handbook. You'll also come across it when you search for howto's.

 

[ada-lovelace]

ok, i think i've given up for now. I did a bit of reading and researching. This pf thing, is beyond me. The use of anchor etc, seems complicated.

But thanks again guys.

 

[nello]

ok, i think i've given up for now.

Did you ever get this working?

If so, please publish the revised scripts.

Thank you.