Squeezing NAT Out of Panther Server

by Glenn Fleishman

What I wanted was very simple and very routine—so routine and simple that it's enabled with a single checkbox in Mac OS X 10.2 and 10.3.

But I wasn't working with the client versions of Mac OS X. No, I was in server land. And I wanted Panther Server (Mac OS X Server 10.3) to hand out private Network Address Translation (NAT) managed addresses over DHCP (Dynamic Host Configuration Protocol).

Instead of simply checking a box in the client-side version of Panther, I spent hours pouring over Apple's obtuse documentation and reading detailed configuration information about natd, ipfw, and dhcpd. I finally mastered it with a little persistence.

But Why? (You May Be Thinking)

Part of my motivation in setting up private addresses is that even though this feature is built into the AirPort Extreme Base Station as the Distribute Addresses option, I've been unable to get it to create private addresses correctly because I use the base station on my LAN, and not as the gateway between my DSL modem and the rest of our shared office LAN. Recently, it even stopped feeding out wired DHCP addresses, for reasons that are unclear.

Related Reading

Running Mac OS X Panther
Inside Mac OS X's Core
By James Duncan Davidson

The motivation for feeding out private addresses that are non-routable from the rest of the Internet has two components:

  • First, they offer firewall by obscurity. While NAT doesn't entirely prevent outside cracking, it does offer obscurity. Unless you specifically punch a port from a NAT-addressed computer through to a public, routable IP address, that computer is entirely unreachable until it initiates a connection.
  • Second, if you have a small pool or just a single static IP address, or receive a dynamically assigned private or public IP address, NAT allows you to create a pool of addresses to share a connection.

In plain old Panther, you bring up the Sharing preference pane in System Preferences, click the Internet tab, and choose the interface you want to share the connection from, such as Ethernet or AirPort (see Figure 1). Apple requires you have at least one active network connection.

You then check boxes corresponding to the interfaces to which you want to serve NAT via DHCP. In a small network that has both AirPort and Ethernet users, you could send NAT back to both networks and disable Distribute Addresses in an AirPort or AirPort Extreme Base Station or disable DHCP in another wireless gateway.

Click Start and you're done. Couldn't be more straightforward.

Panther Server Set Up Is Another Animal

So, you'd think that Panther Server would have more sophisticated options, but be relatively as easy? No, no, how could that be the case.

Instead, you must configure and enable three separate services, add a duplicate network interface, and edit a configuration file manually to get what you want. Let's walk through this.

In the rest of the FreeBSD and Linux world, ifconfig, natd, dhcpd, and ipfw (or its ipchains or iptables equivalents) work together to assign private addresses.

You use ifconfig to create a fake address on a new network, like the address on the network (The /24 means the first 24 bits are significant, equivalent to a network mask of

Figure 1. Panther Sharing

natd is configured to rewrite addresses for the network; ipfw diverts traffic to natd for it to rewrite. Finally, dhcpd is set up to manage a range of addresses in that network, such as through and hand out nice items like a router address and DNS server addresses.

Panther Server packages all natd as NAT; dhcpd as DHCP; and ipfw as Firewall within its nifty new Server Admin program, a portmanteau program that replaces the horrible interface found in the previous server release with a coherent, consistent graphical approach.

From hard experience, here's the set of steps to carry out our complicated command-line configuration, mostly through Server Admin.

1. Add a private address to a duplicate network configuration in the Network preference pane. Open System Preferences, click Network, and from the Show menu choose Network Port Configurations (see Figure 2). Select Built-in Ethernet and click Duplicate. Name the duplicate interface Private Network.

Figure 2. Network Interfaces

From the Show menu now choose Private Network. In the TCP/IP tab, select Manually from the Configure IPv4 menu. Enter as the IP address and as the subnet mask. You can enter DNS values for DNS, but leave other settings blank.

2. Open /etc/hostconfig in pico or vi. Find the line that reads


Change NO to YES, leaving everything else the same. Save that file and exit the text editor.

3. Run Server Admin. Click the DHCP service. Click the Settings tab. You may already see an IP network for If not, click the + sign (see Figure 3). Give the Subnet Name as (it's just text, but it's a good identifier). In Starting IP Address, enter; in Ending IP Address, enter Set the subnet mask to and the router to your private interface address: You can choose any lease time you wish. Click Save. Click Start Service.

Figure 3. DHCP Subnet Setup

4. Click the Firewall service. You should see a listing under Address Group for 192.168-net. This is the superset of, or the full private address range reserved for uses like these (see Figure 4). I haven't yet figured out how to bypass this tedious next step. For each service you want accessible to machines on the private network, you need to check a box to allow it. If none of these machines are working as servers, you might need to check relatively few boxes. But if you need to use Timbuktu, Retrospect, and other offerings, make sure and check those pages.

Figure 4. Firewall Setup

You could also add an advanced rule. Click the Advanced tab. Click the + sign (see Figure 5). Under the Source area, choose Any from the Address pop-up menu (see Figure 6). From the Destination area, choose 192.168-net from the Address menu. Click OK. Drag this rule to the top of the list so it's invoked first. This is a dangerous option because it allows all traffic through, but because these are private addresses, this is probably an issue only for locally discoverable services that use Rendezvous.

Figure 5. Firewall Advanced Rules

Figure 6. Firewall Any Rule

Click Save and wait a while. A long while. For some reason, on the 450 MHz G4 Cube that I have Panther Server installed on, the firewall settings can take minutes to save. They often fail, requiring me to check the boxes again (the settings aren't saved when it fails) and clicking Save again, and waiting... again.

When it's finally saved, click Start.

5. Click the NAT service. NAT has, fortunately, very few options (see Figure 7). In the Settings tab, make sure Built-in Ethernet is selected. Click Start.

Figure 7. NAT Config

You should now be able to serve DHCP-fed private addresses over the LAN. I've found that when this doesn't work, if I restart NAT, DHCP, and Firewall, the trouble goes away.

Final Thought

It's quite amazing to me that such a common task isn't streamlined in the server as it is in the plain Panther system. But now that you have the secrets, you should be able to set this up with none of the hassle I faced.

Glenn Fleishman is a freelance technology journalist contributing regularly to The New York Times, The Seattle Times, Macworld magazine, and InfoWorld. He maintains a wireless weblog at

Return to the Wireless DevCenter