can I set up a computer to have access to my LAN but not the internet?

[Ashleyyyy]

ok so I have a 2007 Mac mini laying around collecting dust, and I want to turn it into a server for time machine on my network so I can do backups without having my external drive plugged into my laptop the whole time. 

 

the issue is that the Mac mini is running OSX 10.7 which is ancient at this point and very insecure. can I set it up so that I can do backups over my LAN but not have the machine connect to the internet at all? also if things like the built-in OSX screen share works that would be useful as well. that should just work over LAN the same way as Time Machine. 

[Sauron]

Yes, with a firewall. Just whitelist your local network IPs and block everything else.

[Video Beagle]

Or, if your router has parental controls, you can use that.

[Ashleyyyy]

10 minutes ago, Sauron said:

Yes, with a firewall. Just whitelist your local network IPs and block everything else.

 

I guess I'd need to set it to block all incoming connections then? but will the network sharing still work?

 

EDIT: this screenshot is from my laptop but this preferences panel is the same in the older version the Mac mini runs iirc. 

Edited February 1, 2020 by Twilight

[Sauron]

1 minute ago, Twilight said:

I guess I'd need to set it to block all incoming connections then?

I'm not familiar with the macOS firewall but in general yes, you should block all incoming connections and then specifically allow all connections coming from your local network (typically 192.168.0.*). I don't know if there's a built in IP whitelist, if there isn't one then you'll have to use a third party firewall.

[Ashleyyyy]

7 minutes ago, Sauron said:

I'm not familiar with the macOS firewall but in general yes, you should block all incoming connections and then specifically allow all connections coming from your local network (typically 192.168.0.*). I don't know if there's a built in IP whitelist, if there isn't one then you'll have to use a third party firewall.

sure. if I do this it's safe to use it on the network? 

[Sauron]

2 minutes ago, Twilight said:

sure. if I do this it's safe to use it on the network? 

Yes, unless there are malicious actors on your local network

[Alex Atkin UK]

As long as you aren't actually doing anything online with it, there shouldn't really be a huge risk in leaving it connected, as nothing should actually try to connect.  The biggest security issue IMO is using a web browser on it, so just don't.

 

That said, you shouldn't need to mess with a firewall to block it, in fact I think its the worst way to do it as that machine will still try to go online, which may cause hangs in the OS or software.

Better to set its IP address as a static address but do not fill in the gateway or DNS, so it wont even try to go online then.  Ideally you want to still have its IP address reserved on the DHCP server on the router though, so its not given to another client on the network.  Or make sure that IP address you set is outside the DHCP range.

[beersykins]

Just static IP it with no gateway.

 

It has a connected route to your LAN, but won't have a route anywhere else.

 

You may also be able to ACL that specific host in the router for defense in depth but that would be redundant.