Jump to content
Not connected, Your IP: 3.12.161.151
Evenstar

Win - Mac - BSD Block traffic when VPN disconnects

Recommended Posts

Thanks for the reply

I have tried following the link in that post. Problem is, it seems the only way you can do it via the Win 7 firewall is to turn off a whole bunch of protocols in uTorrent that the firewall can't block such as DHT. Which I would have to assume would slow down the torrents?

So I tried using the Comodo firewall to block uTorrent unless it was on your IP range. But I'm a bit confused about this. So say I want to connect to Castor. Should I be opening the IP range that I can see I am connected on the client? Or the IP ranges listed on your technical specs page? Then do I need to open an IP range for each different one of your servers I want to connect to? Also do I still seperately need to open an incoming port for the port forwarding?

Sorry, I don't have a lot of experience with firewall setup, could really use some help.

Share this post


Link to post

Oops, don't know why this started a new topic, I was replying to your answer on my previous post. Pretty sure I hit Reply, weird.

Share this post


Link to post

Oops, don't know why this started a new topic, I was replying to your answer on my previous post. Pretty sure I hit Reply, weird.

Hello! No problems at all.

Thanks for the reply

I have tried following the link in that post. Problem is, it seems the only way you can do it via the Win 7 firewall is to turn off a whole bunch of protocols in uTorrent that the firewall can't block such as DHT. Which I would have to assume would slow down the torrents?

So I tried using the Comodo firewall to block uTorrent unless it was on your IP range. But I'm a bit confused about this. So say I want to connect to Castor. Should I be opening the IP range that I can see I am connected on the client? Or the IP ranges listed on your technical specs page? Then do I need to open an IP range for each different one of your servers I want to connect to? Also do I still seperately need to open an incoming port for the port forwarding?

Sorry, I don't have a lot of experience with firewall setup, could really use some help.

With Comodo, the procedure is simple and fast. When you connect to AirVPN, regardless of the server you're connected to, your TUN/TAP adapter is DHCP-assigned an IP address in the range specified by our Technical Specs page. https://airvpn.org/specs/

Therefore, in order to block a program to send out packets when you're not connected to Air, just block (for any program you wish) any outgoing packet NOT coming from range 10.4.0.0->10.9.255.255, from any port to any port. Comodo supports both IP ranges (without need of CIDR notation) and the NOT operator.

Open you Comodo control center, click on the tab "Firewall", select "Network Security Policy", click on the tab "Application Rules".

Detect the application you want to block when not connected to Air, or add it in the list through the "Browse" command, right-click on the application entry, select "Edit rule" (or "Add rule" if the application has no rules), and define the rule as you can see in the attached image. Leave "Source Port" and "Destination Port" to "Any".

Please do not hesitate to contact us for any further information.

Kind regards

comodo_rule1.jpg

Share this post


Link to post

Hello!

Is there a good and easy way to block traffic when VPN disconnects for Mac OS X?

Thanks

Hello!

Mac OSX 10.6 was shipped with the FreeBSD ipfw firewall. If you're not comfortable with shell and command lines, ipfw has a practical frontend, Waterroof, that will allow you to set the aforementioned rules in order to block outgoing packets in case of accidental VPN disconnection:

http://www.hanynet.com/waterroof

ipfw has been deprecated since Mac OSX 10.7 and 10.8. The powerful OpenBSD PF is now recommended, anyway ipfw+Waterroof will work.

The PF GUI can be found on System Preferences: Security & Privacy: Firewall, unfortunately this GUI is too rudimentary so you'll probably have to set the rules in the pf.conf file.

A quick how-to is here:

http://www.obfuscation.org/ipf/www.inebriated.demon.nl/pf-howto

A quicker how-to is here:

http://thenewtech.tv/community/openbsd-pf-on-mac-osx-lion

The following very basic rules would block all traffic outside the tunnel (edit with any text editor /etc/pf.conf) assuming that your ethernet or wifi interface has the address 192.168.*.* and that the tun interface used by OpenVPN is tun0:

block out on <your_network_interface> from 192.168.0.0/16 to any
pass out quick on <your_network_interface> from 192.168.0.0/16 to <AirVPN_server_entry_IP>
pass out quick on tun0 from any to any

Then execute

pfctl -e
pfctl -f /etc/pf.conf

to enable pf and load your ruleset.

If the connection drops, no packets will go out, so you will be able only to reconnect to the VPN and nothing else until you disable pf with

pfctl -d
. Also, those rules will prevent DNS leakage.

You might prepare automated scripts to enable and disable pf or to modify rules. Also, the above example is really rudimentary, so you might like to refine the pf behaviour. Please test always your rules to check whether they do what they are expected to.

Please do not hesitate to contact us for any further information or support.

Kind regards

Share this post


Link to post

@Orfeo

Hello!

Just an additional note, if you need your Mac to communicate with your internal network when connected to the VPN, assuming that your internal network has devices in 192.168.0.0/16:

block out all
pass out quick on <your_network_interface> from 192.168.0.0/16 to <AirVPN_server_entry_IP>
pass out quick on <your_network_interface> from 192.168.0.0/16 to 192.168.0.0/16
pass out quick on tun0 from any to any

Finally, you may add as many "pass out ... to as you wish, listing all the Air servers entry-IP addresses, in order to switch swiftly from one server to another.

Kind regards

Share this post


Link to post

Thanks for your detailed response. I’m afraid the use of OpenBSD PF may be a bit too complicated for me at the moment. With your help, however, I stumbled upon a follow up to WaterRoof, IceFloor 1.1 (http://www.hanynet.com/icefloor/index.html), which has a frontend for Mac OS X 10.7 and later.

Please, could you give me some advice about the settings in order to block outgoing packages in case of accidental VPN disconnection. Thanks a lot.

Share this post


Link to post

Hi, Im running AVG internet security 2012 and was wondering if you know how to block access to the internet for specific apps via my firewall if my vpn drops connection?

Regards,

Dave

Share this post


Link to post

Thanks for your detailed response. I’m afraid the use of OpenBSD PF may be a bit too complicated for me at the moment. With your help, however, I stumbled upon a follow up to WaterRoof, IceFloor 1.1 (http://www.hanynet.com/icefloor/index.html), which has a frontend for Mac OS X 10.7 and later.

Please, could you give me some advice about the settings in order to block outgoing packages in case of accidental VPN disconnection. Thanks a lot.

Hello!

Excellent. You will just have to add the rules posted in the previous messages in IceFloor. In the list of features, the author writes "edit main PF and anchors configuration files with the built-in editor". You can just do that and copy & paste the given rules. Just take care to identify the correct IP addresses and network cards.

Please do not hesitate to contact us for any further information or support.

Kind regards

Share this post


Link to post

Hi, Im running AVG internet security 2012 and was wondering if you know how to block access to the internet for specific apps via my firewall if my vpn drops connection?

Regards,

Dave

Hello!

You should check whether AVG has the ability to set specific rules for each program as specified in the guidelines given for Comodo in this thread (for your comfort, your message has been moved here). AVG Manuals are available here:

http://www.avg.com/us-en/downloads-documentation

AVG FAQ & Tutorials: http://www.avg.com/us-en/faq

Please do not hesitate to contact us for any further support or information.

Kind regards

Share this post


Link to post

Thanks again. – Now, after I copied to this set of rules

block out on <my network_interface> from 192.168.0.0/16 to any

pass out quick on tun0 from any to any

into the file pf.con, I saved, reset, and reloaded the PF file. To my surprise, I was greeted with this message:

PF ERROR! No ALTQ support in kernel

ALTQ related functions disableb

/etc/pf.conf.23: syntax error

/etc/pf.conf:24: syntax error

Do you have any idea what’s going wrong?

I also wanted to use this rule:

pass out quick on <your_network_interface> from 192.168.0.0/16 to <AirVPN_server_entry_IP>

but I couldn’t find the AirVPN_server_entry_IP.

Could you provide me with a fool proofed how to do? Nothing could be too simple, at least for me. Thanks

Share this post


Link to post

Thanks again. – Now, after I copied to this set of rules

block out on from 192.168.0.0/16 to any

pass out quick on tun0 from any to any

into the file pf.con, I saved, reset, and reloaded the PF file. To my surprise, I was greeted with this message:

PF ERROR! No ALTQ support in kernel

ALTQ related functions disableb

/etc/pf.conf.23: syntax error

/etc/pf.conf:24: syntax error

Do you have any idea what’s going wrong?

I also wanted to use this rule:

pass out quick on from 192.168.0.0/16 to

but I couldn’t find the AirVPN_server_entry_IP.

Could you provide me with a fool proofed how to do? Nothing could be too simple, at least for me. Thanks

Hello!

PF needs ALTQ (Alternate Queing for Network Packets) kernel support to use all its features. Alternate queuing of network packets provides disciplines for queuing outgoing network packets (for example traffic shaping) in *BSD based systems. Apparently your Mac OSX does not come with a kernel built with this support or your network card driver does not support ALTQ functions, however you should not need them for basic firewall operations: PF will just run with disabled ALTQ functions. You can't recompile and build Mac OSX kernel (it's not open source).

The default configuration file read by pf is pf.conf, not pf.con (if it was just a mistyping on your message, ignore this warning).

Lines 23 and 24 have a syntax error, feel free to paste pf.conf here.

You can find the entry-IP address by watching at the line with directive "remote" in the air.ovpn configuration file you have (just display it with the cat command or open it with any text editor).

Please do not hesitate to contact us for any further information.

Kind regards

Share this post


Link to post

Hello

„Lines 23 and 24 have a syntax error, feel free to paste pf.conf here.“

#

# Default PF configuration file.

#

# This file contains the main ruleset, which gets automatically loaded

# at startup. PF will not be automatically enabled, however. Instead,

# each component which utilizes PF is responsible for enabling and disabling

# PF via -E and -X as documented in pfctl(8). That will ensure that PF

# is disabled only when the last enable reference is released.

#

# Care must be taken to ensure that the main ruleset does not get flushed,

# as the nested anchors rely on the anchor point defined here.

#

# See pf.conf(5) for syntax.

#

#

# com.apple anchor point

#

nat-anchor "com.apple/*"

rdr-anchor "com.apple/*"

anchor "com.apple/*"

load anchor "com.apple" from "/etc/pf.anchors/com.apple"

block out on en0 from 192.168.0.0/16 to any

pass out quick on tun0 from any to any

Please have a look at it. I really appreciate your support.

Share this post


Link to post

@Orfeo

Hello!

What happens with the following rules?

block out all
pass out quick from 127.0.0.1 to any
pass out quick from 192.168.0.0/16 to <AirVPN_server_entry_IP>
pass out quick from 10.0.0.0/8 to any
pass out quick from 192.168.0.0/16 to 192.168.0.0/16

Kind regards

Share this post


Link to post

Hello!

I pasted the new set of rules into the pf.conf file and received this message after I tried to reset and reload:

PF ERROR! No ALTQ support in kernel

ALTQ related functions disabled

/etc/pf.conf:23: syntax error

Here again the set of rules I pasted into the pf.conf file.

block out all

pass out quick from 127.0.0.1 to any

pass out quick from 192.168.0.0/16 to 62.212.85.65 443

pass out quick from 10.0.0.0/8 to any

pass out quick from 192.168.0.0/16 to 192.168.0.0/16

Thanks for your effort.

Share this post


Link to post

Hello!

I pasted the new set of rules into the pf.conf file and received this message after I tried to reset and reload:

PF ERROR! No ALTQ support in kernel

ALTQ related functions disabled

/etc/pf.conf:23: syntax error

Here again the set of rules I pasted into the pf.conf file.

block out all

pass out quick from 127.0.0.1 to any

pass out quick from 192.168.0.0/16 to 62.212.85.65 443

pass out quick from 10.0.0.0/8 to any

pass out quick from 192.168.0.0/16 to 192.168.0.0/16

Thanks for your effort.

Hello!

What is that 443 in line

pass out quick from 192.168.0.0/16 to 62.212.85.65 443
? Please delete it.

Kind regards

Share this post


Link to post

Hallo!

„What is that 443 ...“?

The 443 is part of the „remote“ info in the air.ovpn configuration file. It seems to be the port number.

I deleted the 443 and still get this message:

PF ERROR! No ALTQ support in kernel

ALTQ related functions disabled

/etc/pf.conf:23: syntax error

So I guess the line with is syntax error is still this:

pass out quick from 192.168.0.0/16 to 62.212.85.65

But, of course, I am not sure.

This complete paste of the pf.conf file now reads like this:

#

# Default PF configuration file.

#

# This file contains the main ruleset, which gets automatically loaded

# at startup. PF will not be automatically enabled, however. Instead,

# each component which utilizes PF is responsible for enabling and disabling

# PF via -E and -X as documented in pfctl(8). That will ensure that PF

# is disabled only when the last enable reference is released.

#

# Care must be taken to ensure that the main ruleset does not get flushed,

# as the nested anchors rely on the anchor point defined here.

#

# See pf.conf(5) for syntax.

#

#

# com.apple anchor point

#

nat-anchor "com.apple/*"

rdr-anchor "com.apple/*"

anchor "com.apple/*"

load anchor "com.apple" from "/etc/pf.anchors/com.apple"

block out all

pass out quick from 127.0.0.1 to any

pass out quick from 192.168.0.0/16 to 62.212.85.65

pass out quick from 10.0.0.0/8 to any

pass out quick from 192.168.0.0/16 to 192.168.0.0/16

Any idea what’s wrong? Thanks.

Share this post


Link to post

Hallo!

„What is that 443 ...“?

The 443 is part of the „remote“ info in the air.ovpn configuration file. It seems to be the port number.

I deleted the 443 and still get this message:

PF ERROR! No ALTQ support in kernel

ALTQ related functions disabled

/etc/pf.conf:23: syntax error

So I guess the line with is syntax error is still this:

pass out quick from 192.168.0.0/16 to 62.212.85.65

 

Hello!

Locate line 23 to be sure to identify which line is giving syntax error. Also, make sure that after the copy & paste you have not inserted characters which may cause problems to the pf parser, for example CR+LF. Also, each line must be terminated with a CR, including the last line. Refer finally to your pf man page to check whether the syntax of your pf version is slightly different.

Kind regards

Share this post


Link to post

Hallo!

When I count the lines of the pf file, the one with the syntax error is this:

block out all

So, for a test, I deleted the line, reset and reloaded the pf.conf –– and did’t receive an error message!

The message I got simply reads:

PF firewall reset, configuration reloaded from /etc/pf.con

But is this what I want? Will the firewall now block outgoing packages in case of vpn disconnection?

Thanks

Share this post


Link to post

Hallo!

When I count the lines of the pf file, the one with the syntax error is this:

block out all

So, for a test, I deleted the line, reset and reloaded the pf.conf –– and did’t receive an error message!

The message I got simply reads:

PF firewall reset, configuration reloaded from /etc/pf.con

But is this what I want? Will the firewall now block outgoing packages in case of vpn disconnection?

Thanks

Hello!

No, this is not what you want, the firewall will not block anything without that rule.

Replace it with:

block out from 192.168.0.0/16 to any

PF will block any outgoing packet from 192.168.*.*, except those which match the subsequent "pass out" rules.

If there are no more syntax errors, test the configuration. Activate pf. Now you should lose your Internet connectivity, except toward Lyra. Connect to Air server Lyra entry-IP (62.212.85.65), any port. The connection should succeed thanks to the relevant pass out rule. Now you should have full connectivity. Launch a bittorrent client, share some redistributable content. Let it work for some minutes. Then, disconnect from the VPN. If everything is ok, you should immediately see a total drop of outgoing packets from any application, including the bittorrent client.

Anyway, you should investigate further, because "block out all" is a perfectly legal directive on any pf version.

Kind regards

Share this post


Link to post

Hello!

The insertion of the new rule didn’t cause a syntax error message. I will test the new configuration in a little while and report back.

Thanks a lot!

Share this post


Link to post

I've seen the VPN/Firewall Blocking instructions for Comodo. You wouldn't happen to have instructions for a recent version of Norton would you? My experience with networking issues is pretty weak.

Hello!

We're sorry, currently we don't provide step-by-step support for Symantec products. Symantec products are commercial products which offer full customer support, so you might try to have support from their team. You could:

- replicate the rules suggested for any firewall in the forum (Comodo, PF...) on your Norton Firewall

- switch to Comodo: independent peer-reviews performed with high-standard leak tests show that Comodo Firewall in terms of security is highly superior to Norton Firewall (we underline "firewall"); in severe leak tests Norton Firewall 2012 protection rates as "NONE" (!!!) while Comodo rates as "excellent", see for example http://www.matousec.com/projects/proactive-security-challenge/results.php

- Comodo is not open source but it's freely redistributable, see https://personalfirewall.comodo.com

The only software firewalls for old Windows OS that are not useless (or dangerous) toys are (% shows the percentage of passed leak tests, the higher the better):

Comodo Internet Security 5.3.176757.1236FREE 100 %

Online Solutions Security Suite 1.5.14905.0 99%

Privatefirewall 7.0.25.4FREE 98 %

Outpost Security Suite Free 7.0.4.3418.520.1245.401FREE 97%

Outpost Security Suite Pro 7.5.1.3791.596.1681 97%

BitDefender Internet Security 2011 14.0.30.357 97 %

Kaspersky Internet Security 2012 12.0.0.374 93 %

Malware Defender 2.7.3.0002FREE 91%

Norton Internet Security 2012 has 20% (protection "none").

For the most updated "Proactive Security Challenge", see http://www.matousec.com/projects/proactive-security-challenge-64/results.php. This new challenge shows that apart from Comodo (94%), a secure firewall for 64-bit Windows versions does not exist.

Kind regards

Share this post


Link to post

Thank you. This is very helpful information. I was planning on finding an alternative for Norton, and this helped me determine what anti-virus/firewall combination I will likely go with.

Share this post


Link to post

Hallo!

When I count the lines of the pf file, the one with the syntax error is this:

block out all

So, for a test, I deleted the line, reset and reloaded the pf.conf –– and did’t receive an error message!

The message I got simply reads:

PF firewall reset, configuration reloaded from /etc/pf.con

But is this what I want? Will the firewall now block outgoing packages in case of vpn disconnection?

Thanks

Hello!

No, this is not what you want, the firewall will not block anything without that rule.

Replace it with:

<code>block out from 192.168.0.0/16 to any</code>

PF will block any outgoing packet from 192.168.*.*, except those which match the subsequent "pass out" rules.

If there are no more syntax errors, test the configuration. Activate pf. Now you should lose your Internet connectivity, except toward Lyra. Connect to Air server Lyra entry-IP (62.212.85.65), any port. The connection should succeed thanks to the relevant pass out rule. Now you should have full connectivity. Launch a bittorrent client, share some redistributable content. Let it work for some minutes. Then, disconnect from the VPN. If everything is ok, you should immediately see a total drop of outgoing packets from any application, including the bittorrent client.

Anyway, you should investigate further, because "block out all" is a perfectly legal directive on any pf version.

Kind regards

Hello!

It works! It works!

You guys did a fantastic job. Excellent support! I’m a complete vpn-novice and now I even have a firewall. Thanks a lot.

As to the error message caused by the insertion of the rule “block out any” in the pf.conf file: Could is be due to a conflict with the standard setting of IceFloor which allows access to LAN?

The new rules in the pf.conf file are represented by IceFloor in the frontend “Manage PF rules” panel in this way:

anchor "com.apple/*"

block drop out inet from 192.168.0.0/16 to any

pass out quick inet from 192.168.0.0/16 to 62.212.85.65 flags S/SA keep state

pass out quick inet from 192.168.0.0/16 to 192.168.0.0/16 flags S/SA keep state

pass out quick inet from 127.0.0.1 to any flags S/SA keep state

pass out quick inet from 10.0.0.0/8 to any flags S/SA keep state

Again, thanks a lot.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...