We all know the trouble: today’s stupid ISPs will only give you one IP-address so to connect more than one computer, we need to use RFC 1918 IP-addresses, also known as private IP-addresses. This is all nice and dandy when all you’re doing is accessing servers on the internet from behind your router, which will inevitably use Network Address Translation (NAT) to allow you to do so. It’s an incredible headache if you want to go the other way around: set up a service on one of your machines that people on the internet will be able to access.

Luckily, we can forward ports. You can only forward a single port once though, so take into consideration what machine you’re forwarding to. You can’t have two forwards for port 25, for instance, unless they are on different IP addresses. (On a side note, if you’re forwarding webservers, use apache’s reverse proxy feature for that to allow multiple servers based on the URL).

In Linux, I would use iptables for this. Unfortunately the machine I want to forward a port on doesn’t run linux. It runs Mac OS X server. Given my knowledge of how this is done with the same tool as setting up a firewall in linux, I set out to do the same on osx and found that ipfw (the tool that manipulates firewall rules in BSDs and OSX) knows an action called ‘forward’. Hold it, that’s not it. That does forward, like it says. But it doesn’t do NAT. Which we want, because otherwise.. Well it just won’t work properly.

Connection sharing in BSD is handled using a userland process called ‘natd’. Incidentally, natd is also capable of properly forwarding ports to other machines. Great. Now let’s find out how. There isn’t much documentation on this, but I did figure it out eventually. This is OSX-specific, I must add.

Apple stores the configuration for natd in /etc/nat/natd.conf.apple. Don’t change that though, it’s generated every time natd starts. The basis for the generated file is in /etc/natd/natd.plist. Open that up. It’s a fairly standard XML file with some settings in it. Add the following to the end of it, just before the two last closing tags:

        <key>redirect_port</key>
        <array>
                <dict>
                        <key>aliasIP</key>
                        <string>INCOMING IP</string>
                        <key>aliasPortRange</key>
                        <string>INCOMING PORT</string>
                        <key>proto</key>
                        <string>tcp</string>
                        <key>targetIP</key>
                        <string>OUTGOING IP</string>
                        <key>targetPortRange</key>
                        <string>OUTGOING PORT</string>
                </dict>
        </array>

Replace the incoming and outgoing ips and ports with whatever your network requires. Incoming is the ip address on your server, target is the ip address of the machine you’re forwarding to.

You can now restart natd, for example by stopping and starting internet sharing. If all went well, your machine now forwards the port(s) you listed. Don’t forget to allow it in your firewall!

As a last note: this was tested and verified to work on MacOS X Server 10.3. It should also work on MacOS X Server 10.4. However, the configuration files do not seem to exist on the non-server version.

It apparently threw a tantrum over how hot it got in my room and refused to work. After a while of trying to get my dear data off it (after installing osx on a firewire disk and booting that, of course), the mini wouldn’t even recognise it anymore. I then decided to let the entire thing cool off for half an hour. This made it work again to at least the point where I could make a disk image of it. I didn’t trust it anymore though, so I opted to just go out and get a new drive. So now my Mac mini is fitted with a Western Digital Scorpio 80G drive instead of the usual Toshiba 80G. It’s a little faster, too.

If you’ve ever used public transport in Amsterdam, you’ll know that the drivers have a somewhat different attitude compared to PT in other cities. I was confronted with that again, this morning.

Getting to work for me involves getting on a bus, then switching to a train, and lastly I get on a tram. The bus isn’t from Amsterdam. That makes it easy: you wait for it to appear and get on. If you’re still approaching the bus stop when that bus is appearing, you run at it and it’ll stay there so you can still get on. The trains go at regular intervals (or are delayed, but never too early) so you shouldn’t have any trouble making it there in time.

Now the public transport in Amsterdam. They will not wait. At all. Not even a single second. Just this morning, I was approaching the tram. I was literally less than 50cm away from the door when it closed and the tram rode away.

Well, at least I had some time to get something to drink.

I’d say it was pretty cool. Not entirely true to the book (as usual). For instance there are a few annoying love-scene moments (as usual) that need to go (as usual). But apart from that, I enjoyed the hitchhiker’s guide movie quite a bit. Special crowd, too. One dude had part of an orange juicer strapped to his head (explained in the movie), and another raised his towel everytime it was mentioned.

Today is the day on which I will go see The HitchHiker’s Guide to the Galaxy.

‘Huh? What? But that’s not in theatres yet, in the Netherlands!’

Indeed it isn’t. Except it’s the closing film for the Amsterdam Fantastic Film Festival. So I get to see it nearly 2 months early. Yay!

I’ve begun moving over to WordPress. This means the end of my homebrew Zope stuff, which was basically only there to try out Zope. It just stuck a little longer than I expected. It also means I can finally ditch the UserModeLinux virtual machine running it.

Now, I’ve archived all the old stuff of course. Most links should still work. I have no clue how I’m going to make google like all this, but who cares. It’s still the old (table-based, ack!) layout, too. Either way, find it in the archive. (Some links to files and images are broken. Should you need one of them, just poke me).

I hope this will stick for a while. I might tweak the layout a bit more but the general idea should remain the same. Or at least similar. Or maybe not.