lambrinoul 0 Posted ... I am concerned about leaking IPs when torrenting, among other things, and I decided to use WaterRoof on my osx 10.6. I flushed previous rules and imported the airvpn-ipfw-ruleset from jesees post.Looking around WaterRoof I realised that this deals with ipv4. a)IPV6When I pressed on the ipv4/ipv6 button that reveals the ipv6 rules, no rules are present. I tried to import again in this tab but rules are not imported here. So it seems rules are working for ipv4 only. b)Dynamic rulesAll the above has to do with static rules. Looking around I discovered there is window to add dynamic rules. Should I import the rules there too? c)Connections inspectorI opened the connections inspector window and there are 7 rules that apparently are "root processes". Should I block any of these? What are these and how can i tell if they are factory made or "planted" there by someone? d)Application Icon /monitorI cannot seem to find any way to monitor if the waterproof application (and the rules) are running, like a menu bar icon. Is there something I am missing? e)little snitchIs WaterRoof compatible with little snitch? f)ITunnelblickIn the advanced settings of the configuration there is the option "Route all traffic through the VPN". I had the impression that that was happening anyway. What is its role? (is there any good place with information regarding the proper configuration of Tunnelblick - for not very technical people?) Any help greatly appreciated. p.s. I am not so much into technical stuff so a "kill switch" (for killing the connection during a possible (probable?) disconnection from AirVPN) would be very helpful for people like me. Many thanks. p.s.2 After using these rules i cannot connect neither to the internet to airvpn. add 01000 allow log udp from 192.168.0.0/16 to 94.75.228.29 dst-port 53 keep-stateadd 01002 allow log udp from 192.168.0.0/16 to 62.141.58.13 dst-port 53 keep-stateadd 01004 allow log udp from 192.168.0.0/16 to 87.118.100.175 dst-port 53 keep-stateadd 01006 allow log udp from 192.168.0.0/16 to 87.118.104.203 dst-port 53 keep-stateadd 01008 allow log udp from 192.168.0.0/16 to 87.118.109.2 dst-port 53 keep-stateadd 02000 allow ip from 192.168.0.0/16 to 46.165.208.65 keep-stateadd 02004 allow ip from 192.168.0.0/16 to 95.211.169.3 keep-stateadd 02008 allow ip from 192.168.0.0/16 to 178.248.29.132 keep-stateadd 02012 allow ip from 192.168.0.0/16 to 108.59.8.147 keep-stateadd 02016 allow ip from 192.168.0.0/16 to 69.163.36.66 keep-stateadd 02020 allow ip from 192.168.0.0/16 to 89.149.226.185 keep-stateadd 02024 allow ip from 192.168.0.0/16 to 146.185.25.170 keep-stateadd 02028 allow ip from 192.168.0.0/16 to 62.212.85.65 keep-stateadd 02032 allow ip from 192.168.0.0/16 to 85.17.123.26 keep-stateadd 02036 allow ip from 192.168.0.0/16 to 95.211.98.154 keep-stateadd 04000 allow ip from 127.0.0.1 to anyadd 05000 allow log ip from 10.0.0.0/8 to anyadd 05002 allow log ip from any to 10.0.0.0/8add 65534 deny log ip from any to any p.s.3 I flushed the waterroof rules and my connection was re-established. Are the above rules correct? Quote Share this post Link to post
lambrinoul 0 Posted ... After manually going through the rules and removing the "log" as suggested in another post, I removed the following rule: add 65534 deny log ip from any to any now the connection is reestablished but apparently there is no rule for blocking / denying connections. I appreciate your help. Quote Share this post Link to post
lambrinoul 0 Posted ... edit: Also with the above configuration I can connect to the internet even though I am not connected to airvpn. Quote Share this post Link to post
lambrinoul 0 Posted ... It's a shame I still haven't received any reply on that. I have looked the other threads, I have tried the rules suggested and they are not working. Is there some other suggestion regarding setting up a firewall (ipfw) for dns leaking? Quote Share this post Link to post
Staff 10014 Posted ... Hello, the rules are correct, provided that your home network is in 192.168.0.0/16 (please check). Another rule should be added to allow DHCP, if you need it (probably so), you need to allow anything in UDP to IP 255.255.255.255 (to know why, please see how DHCP discovery works). Kind regards Quote Share this post Link to post
lambrinoul 0 Posted ... My home network is not 192.168.0.0/16 My ip is 192.168.1.4 I changed all the lines to include that but Waterroof changes it automatically to 192.168.0.0 upon import, which is strange. I also tried to create the rules manually. I entered "me" in the popup menu for ip address but when the rule was added it said 192.168.0.0. I do not know how this is possible as my network settings --> tcp/ip show 192.168.1.4 as my ipv4 address. thank you Quote Share this post Link to post
lambrinoul 0 Posted ... Ok. I will try to elaborate a little. I am new to this and hope I am not causing you too much frustration with all these questions I am putting all my questions here as they are IP firewall related. a) These rules (from Jesee) permit connections to the relevant airvpn servers, right? But are they working with all configurations or are they only for America, or only for Europe, etc? What if I am interested in connecting with an other airvpn server in another continent? How do I find the IP address? sudo ipfw add 02000 allow log ip from 192.168.0.0/16 to xxx keep-state # allow connect to: Taurisudo ipfw add 02004 allow log ip from 192.168.0.0/16 to xxx keep-state # Castorsudo ipfw add 02008 allow log ip from 192.168.0.0/16 to xxx keep-state # Draconissudo ipfw add 02012 allow log ip from 192.168.0.0/16 to xxx keep-state # Siriussudo ipfw add 02016 allow log ip from 192.168.0.0/16 to xxx keep-state # Vegasudo ipfw add 02020 allow log ip from 192.168.0.0/16 to xxx keep-state # Omnicronsudo ipfw add 02024 allow log ip from 192.168.0.0/16 to xxx keep-state # Delphinisudo ipfw add 02028 allow log ip from 192.168.0.0/16 to xxx keep-state # Lyrasudo ipfw add 02032 allow log ip from 192.168.0.0/16 to xxx keep-state # Leonissudo ipfw add 02036 allow log ip from 192.168.0.0/16 to xxx keep-state # Orionis If theoretically I want to connect only on one selected server, would the following work? add 02000 allow log ip from 192.168.1.4/16 to xx.xxx.xx.xxx keep-state # Server of my preferenceadd 03000 allow log UDP to 255.255.255.255 # as you suggested earlier in this threadadd 04000 allow log ip from 127.0.0.1 to anyadd 05000 allow log ip from 10.0.0.0/8 to anyadd 05002 allow log ip from any to 10.0.0.0/8add 65534 deny log ip from any to any c) Is blocking/ allowing IP enough? What about TCP and other protocols? d) I have asked this earlier, apparently watteroof does not let me change the "from" IP. Neither when I change the text file and import it or when trying to create manually the rules inside waterproof. It does not accept my IP ("me" tab) which is 192.168.1.4 and it displays 192.168.0.0 instead. What am I doing wrong? e) In the occasions I would be connecting to TOR *first* which hops around different IP addresses before connecting to AirVPN these rules would block connections to TOR, right? So how could one go around creating rules for TOR? Many thanks for your patience and support. Highly appreciated. Quote Share this post Link to post
Staff 10014 Posted ... Hello! a) You can find the entry-IP address of a server by generating, with the Configuration Generator, the configuration for that server and looking (with any text editor) at the line "remote" of the .ovpn file. Or just ask us. The rules are ok both for UDP and TCP. Anyway, you might like to eliminate all that logging, it may be useless and also slow down the system. b ) Probably not. The rule:"allow log UDP to 255.255.255.255" should be "allow udp from any to 255.255.255.255". Even "allow ip from any to 255.255.255.255" is ok. The rule "allow log ip from 127.0.0.1 to any" is risky. It's safer something like "allow ip from 127.0.0.0/8 to 127.0.0.0/8" Additionally, you need to communicate with your internal network devices (at least with your router) so you should also add:"allow ip from 192.168.0.0/16 to 192.168.0.0/16" or maybe (it depends on your subnet) even a more restrictive "allow ip from 192.168.1.0/24 to 192.168.1.0/24" could be fine. However this rule will allow DNS queries to your router and that could lead to a sort of DNS leak if your router re-transmits the query to your ISP. In this case, block outbound port 53 in the subnet:"deny ip from 192.168.0.0/16 to 192.168.0.0/16 53 out" c) ip is Internet Protocol and includes TCP, UDP, ICMP etc. d) 192.168.0.0/16 "covers" the range starting from 192.168.0.0 and ending to 192.168.255.255, so you're just fine. e) Impossible to say in advance, you can't determine the entry node in the TOR network by default. One of the strong points of TOR is establishing different circuits. You're ok with the already mentioned rules, because if you connect OpenVPN over TOR, you want that the final destinations (of your physical network card packets, not of the packets in the tun adapter of course) are the entry-IP addresses of Air servers. Kind regards Quote Share this post Link to post
amnesty 18 Posted ... What if I am interested in connecting with an other airvpn server in another continent? How do I find the IP address? You could also query the FDQN (Fully Qualified Domain Name) for the server's IP Address with ping or nslookup. But this would query DNS so there is a slim chance it might be wrong if they changed a servers IP and it hasn't propgated accross the Internet (theoretically, could take up to 48 hours). ping servername.airvpn.org C:\Users\max>ping virginis.airvpn.org Pinging virginis.airvpn.org [46.19.137.114] with 32 bytes of data: nslookup servername.airvpn.org >nslookup lyra.airvpn.orgServer: UnKnownAddress: 10.30.0.1 Non-authoritative answer:Name: lyra.airvpn.orgAddress: 62.212.85.65 sudo ipfw add 02000 allow log ip from 192.168.0.0/16 to xxx keep-state # allow connect to: Taurisudo ipfw add 02004 allow log ip from 192.168.0.0/16 to xxx keep-state # Castorsudo ipfw add 02008 allow log ip from 192.168.0.0/16 to xxx keep-state # Draconissudo ipfw add 02012 allow log ip from 192.168.0.0/16 to xxx keep-state # Siriussudo ipfw add 02016 allow log ip from 192.168.0.0/16 to xxx keep-state # Vegasudo ipfw add 02020 allow log ip from 192.168.0.0/16 to xxx keep-state # Omnicronsudo ipfw add 02024 allow log ip from 192.168.0.0/16 to xxx keep-state # Delphinisudo ipfw add 02028 allow log ip from 192.168.0.0/16 to xxx keep-state # Lyrasudo ipfw add 02032 allow log ip from 192.168.0.0/16 to xxx keep-state # Leonissudo ipfw add 02036 allow log ip from 192.168.0.0/16 to xxx keep-state # Orionis Some of these might not be available now. check out the Status page. I didn't see: DraconisVegaOmnicronDelphini You could confirm by using one of those commands: >ping delphini.airvpn.orgPing request could not find host delphini.airvpn.org. Please check the name and try again. Could not find doesn't necessarily mean it does not exist, more like my Name Server cannot find an entry for it. However, if a Name Server cannot find an entry, we pretty much wouldn't be able to connect anyway. e) In the occasions I would be connecting to TOR *first* which hops around different IP addresses before connecting to AirVPN these rules would block connections to TOR, right? So how could one go around creating rules for TOR? For what it's worth, the Tor community prefers the network not be used for torrenting (mentioned in your original post). It's mostly volunteers donating their bandwidth (among other things). Not that people care. Many thanks for your patience and support. Highly appreciated. I like that you're trying to learn this stuff. Quote Share this post Link to post