Linux kill switch alongside Eddie

[tiger83052 4]

Hi

​on ubuntu 14.04 LTS

​I added these rules using ufw :
sudo ufw default deny outgoing

sudo ufw default deny incoming

​

​it seems that no traffic is being passed and that theres no network traffic at all

​

​when i use eddie with network lock on i can connect without problems and when i close eddie

​there is no traffic and i can't access any website or update any app

​

​I wanna ask if these rules i made is good ? because it looks to me so easy to be true ?

​

​with this 2 lines i've added now my traffic pass only when I'm connected to AIRVPN ?

[rickjames 106]

Yup, that's about it. You could also deny forwarding if you really wanted to go wild lol.

[foxmulder 43]

Ok, but why would you wanna do that ? Eddie's network lock is sufficient IMO, it also works with IPTables under Linux.

 

Regards

 

Fox

[tiger83052 4]

Yup, that's about it. You could also deny forwarding if you really wanted to go wild lol.

if you could explain to me how to do this please ?

[tiger83052 4]

Ok, but why would you wanna do that ? Eddie's network lock is sufficient IMO, it also works with IPTables under Linux.

 

Regards

 

Fox

 

​Eddie network lock feature is temporary , I want no network traffic to pass even when i close eddie

[rickjames 106]

 

Yup, that's about it. You could also deny forwarding if you really wanted to go wild lol.

if you could explain to me how to do this please ?

 

 

It's probably.

ufw default deny forwarding

I never use ufw, but this seems logical. If it doesn't work do some searching.

 

I'm also unsure how ufw handles ipv6. It may make ip6tables by default but tbh I don't know that for sure.

Perhaps someone else does, or you could always do a bit o searching.

[me.moo@posteo.me 80]

'searching' omg

[tiger83052 4]

thanks for your reply , for ipv6 i managed to disable by

$ sudo su -
# nano /etc/sysctl.conf

 

and added these lines

#disable ipv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

and then saved the file and rebooted and checked if it's disabled or not by this command

$ cat /proc/sys/net/ipv6/conf/all/disable_ipv6

if you receive 0 then it's enabled and if 1 it's disabled , I received 1

 

 

for denying forwarding I didn't found proper guide till now...

[rickjames 106]

sysctl -a | grep ipv6
 

^ grep is a handy search function too.

 

 

@ipv6

If not needed I kill it in the sysctl and toss up ip6table rules, just for completeness.

I've seen a few sysctl switches change over time with little documentation. Just helps me sleep better knowing that if someone changed something, there's ip6tables in place just in case.

 

[tiger83052 4]

 

sysctl -a | grep ipv6
 

^ grep is a handy search function too.

 

 

@ipv6

If not needed I kill it in the sysctl and toss up ip6table rules, just for completeness.

I've seen a few sysctl switches change over time with little documentation. Just helps me sleep better knowing that if someone changed something, there's ip6tables in place just in case.

 

after some researching for forwarding I found in etc/default/ufw

DEFAULT_FORWARD_POLICY="DROP"

I think I'm good to start right ?

[iwih2gk 92]

How much isolation do you want from your LAN?  There were some questions above regarding UFW and that tool does some neat things.  In my case I prefer to use UFW as my "broken connection" firewall and to assure that once the Air connection is dead (intentionally or accidentally) my host OS has NO connectivity.  I can't even re-connect to Air until I lower the UFW firewall.  Obviously if the host has no connectivity then the chained VM's down the string don't either.  The chained VM's are either NAT or Bridge and pass ultimately through the host and its the only way out of this machine!

 

Using a terminal you can enable and disable UFW in a few seconds.  So to connect I disable UFW using a terminal and then connect using Eddie.  Once connected I enable UFW and proceed down my string of VM's until reaching the workspace VM.  All the time I know that only tun0 has any connectivity.  For me the bonus is I purposely isolate my tunnel machine completely from my LAN.  No other device on the LAN can access/see tun0.  This config may be too restrictive for some users but in my case all the many devices on my LAN scare me some regarding potential security risks.  This way I take them  out of the loop and ISOLATE for maximum privacy and safety.  My take.