16.2. Built-in Services: The Sharing Panel

 < Day Day Up > 

16.1. Getting Connected

If you're using a Mac as a production server, then you are probably either co-locating it at your hosting provider's facility or bringing a dedicated line into your home or office. In that case, your Internet Service Provider (ISP) or hosting provider is taking care of all the details: setting up Domain Name System (DNS ) records, providing an IP address, and possibly physically hosting your computer in a rack somewhere.

Most hosting providers will take care of setting up entries in the Domain Name System so that you're in the database. However, you will still be responsible for registering the name you want with a domain registrar.


If you're running a Mac at home, you can approximate the same setup, but there are two configuration issues you need to consider:


DNS

If you're using residential broadband, or even the lower tiers of some business-class broadband, your fully-qualified domain name (FQDN) is probably something terrible like host130.93.41.216.conversent.net. If you go to your ISP and ask to be set up with a real name, they will either greet you with a blank stare or steer you toward some service that costs hundreds of dollars a month.


IP Address

Again, residential broadband and low-tier business class broadband users suffer, since they are likely to have a dynamic IP address for their service. If you've got this kind of service, your IP address could change as often from every couple of hours to every few days, weeks, or months. In some cases, your IP address may be effectively permanent, but without the guarantee that it will remain static, you never know when you'll have to deal with the hassle. You could ask your ISP for a static IP address, but this may cost extra money, or you may have to move up to a higher tier of service.

Some ISPs, such as Speakeasy, Inc. (http://www.speakeasy.net/) offer commercial-class services for well under $100 a month. If you're interested in running services out of your small office or home office (SOHO), check them out.


If you're running a Mac as a server for personal use (for example, remote access via SSH), you can probably get away with plugging into a residential broadband connection and opening a hole in your firewall. However, if you want others to be able to access services such as a web browser, you'll need to solve the DNS and IP address problems. A dynamic DNS service, such as Dynamic Network Services (http://www.dyndns.org) can help with this.

16.1.1. Dynamic DNS

Dynamic Network Services, Inc. has been offering dynamic DNS services for many years, and has long been a favorite of dialup and SOHO broadband users who need a permanent domain name even when their IP address is constantly changing. In order for this service to work, you must update the dyndns.org servers every time your IP address changes. The open source DNSUpdate utility (http://www.dnsupdate.org/) can detect your public IP address and update the dyndns.org servers with that address, rather than your private address. You must select External Interface when you add a host to DNSUpdate for it to detect and register your public IP address, as shown in Figure 16-1.

That's only half the battle; if your Mac resides behind a firewall router (such as the Apple AirPort Base Station), you'll need to configure it to make your network services visible to the outside world. Otherwise, all incoming traffic will be stopped in its tracks at your firewall. The next section has solutions to this problem.

16.1.2. Serving from Behind a Firewall

If you have a SOHO router (such as the AirPort Base Station) between your Internet connection and your Mac, the router probably has a built-in firewall that protects your Mac from the outside world. Since most access points and routers have a firewall that blocks incoming network traffic, you'll need to open a hole in that firewall for each service you want to use. The list that follows describes our recommendations for exposing a server to the outside world on a SOHO network.

Figure 16-1. Configuring Dynamic DNS with DNSUpdate



Use a wired connection

If you have a wireless access point, such as an AirPort Base Station, that's doing double-duty as your wired Ethernet router, we suggest plugging your Mac server into one of the LAN ports on your access point or one of the LAN ports on an Ethernet switch that's plugged into your access point's LAN port.

Although Wi-Fi speeds typically exceed broadband by quite a lot, actual speeds are often half that of the quoted speed of Wi-Fi networks , and bandwidth is shared among all computers on a given network. So, an 802.11b Wi-Fi network with a raw speed of 11 Mbps is more likely to share 5 to 6 Mbps among machines, and an 802.11g Wi-Fi (AirPort Extreme) network is more likely to have 20 to 25 Mbps available than the 54 Mbps raw speed of the network. This is because Wi-Fi networks have a significant amount of overhead, are susceptible to interference from consumer electronics and microwave ovens, and can experience a sharp drop-off in speeds as the distance between the computer and base station increases.


Be aware of your ISP's Terms of Service

If your ISP does not permit you to run servers on your network, consider asking them whether they have another tier of service that does permit this. As an added bonus, those tiers of service often include one or more static IP addresses. On the downside, they tend to cost quite a bit more than the consumer offerings. ISPs that have restrictive policies in place will often also block certain ports. For example, the Cox cable Internet service that we use does not permit inbound or outbound connections on port 25 (SMTP), nor do they permit inbound connections on port 80 (HTTP). Since these restrictions were implemented around the height of Windows-based worms that used these ports, we believe the restrictions are there primarily to protect against such worms. Prior to that, the only reports we had of Cox actually enforcing their "no servers" rule was in cases where customers were using large amounts of bandwidth.

Although we can't prove that Mac OS X is inherently more secure than Microsoft systems, there are fewer exploits that affect it. If you are diligent about applying security updates, understand the risks and consequences of opening a service (such as a web or IMAP server) to the outside world, and are comfortable monitoring your network for intrusions, you can sleep a little easier while your servers hum away in the night.



Consider non-standard ports

If your ISP's Terms of Service do not explicitly prohibit running services, but they are still blocking ports to protect against worms, you could choose to run these services on an alternate port that's not blocked. You can do this by either reconfiguring the server, or using your router to handle the redirection.


Open your ports

One thing a firewall is really good at is keeping traffic out. However, if you want to run a server on your network, you need to selectively let traffic in. This is called port mapping , and is described in the next section.

Non-Apple wireless access points may have similar functionality. Look in your access point's documentation for information on port mapping (sometimes referred to as forwarding).


16.1.2.1. Port mapping with an AirPort Base Station

To configure an AirPort Base Station to direct traffic to a Mac that's acting as a server, you should first make sure that the server has a static IP address. By default, an AirPort Base Station will assign addresses in the range of 10.0.1.2 to 10.0.1.200. This will be different if you've specified a different subnet and pool size (in the AirPort Admin Utility, choose Network Distribute IP addresses Share a single IP address using DHCP and NAT Other and set the values as shown in Figure 16-2).

Figure 16-2. Setting subnet and IP address pool size


You must choose your static IP address from outside this pool. If you were using the default AirPort configuration, 10.0.1.201 would be an acceptable choice. If you were using the settings shown in Figure 16-2, then anything over 192.168.254.148 would be OK (we'll use 192.168.254.201 in the next example). Once you have chosen your static IP address, configure your Macintosh server to use this address in Network Preferences. This ensures that your server always has the same IP address, and you can then configure your base station to forward traffic to it.

To configure port mapping, open the AirPort Admin Utility (in /Applications/Utilities), select your Base Station, and choose Port Mapping. Figure 16-3 shows an AirPort Base Station configured to forward traffic coming in from the outside world on port 22 (ssh) to a machine inside the network with the private address 192.168.254.201 on port 22.

Figure 16-3. Setting up a port mapping with the AirPort Admin Utility


This means that people can ssh to PUBLIC_IP_ADDRESS and be directed to the machine at 192.168.254.201 inside the firewall. You can find the value for PUBLIC_IP_ADDRESS by selecting the View Show Summary menu from within the AirPort Admin Utility and looking at the Public (WAN) IP Address, as shown in Figure 16-4.

If you want to open up every port on a given machine, specify the IP address of a default host in the AirPort Admin Utility (AirPort Base Station Options Enable Default Host). This should be the static IP address of the server on your private network. We do not recommend this because opening every port may expose you to vulnerabilities youre not looking out for. If you've only opened up a select group of services (such as HTTP, SMTP, and SSH), you have a short list of ports to monitor, and therefore, fewer vulnerabilities to worry about.

Figure 16-4. Looking up the public IP address of an AirPort Base Station


Now that you've set up your network so the outside world can talk to your Mac, it's time to configure some services for others to use.

     < Day Day Up > 


    Mac OS X Tiger for Unix Geeks
    Mac OS X Tiger for Unix Geeks
    ISBN: 0596009127
    EAN: 2147483647
    Year: 2006
    Pages: 176

    Similar book on Amazon

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net