Evenstar 1 Posted ... Thanks for the reply I have tried following the link in that post. Problem is, it seems the only way you can do it via the Win 7 firewall is to turn off a whole bunch of protocols in uTorrent that the firewall can't block such as DHT. Which I would have to assume would slow down the torrents? So I tried using the Comodo firewall to block uTorrent unless it was on your IP range. But I'm a bit confused about this. So say I want to connect to Castor. Should I be opening the IP range that I can see I am connected on the client? Or the IP ranges listed on your technical specs page? Then do I need to open an IP range for each different one of your servers I want to connect to? Also do I still seperately need to open an incoming port for the port forwarding? Sorry, I don't have a lot of experience with firewall setup, could really use some help. Quote Share this post Link to post
Evenstar 1 Posted ... Oops, don't know why this started a new topic, I was replying to your answer on my previous post. Pretty sure I hit Reply, weird. Quote Share this post Link to post
Staff 9972 Posted ... Oops, don't know why this started a new topic, I was replying to your answer on my previous post. Pretty sure I hit Reply, weird.Hello! No problems at all.Thanks for the replyI have tried following the link in that post. Problem is, it seems the only way you can do it via the Win 7 firewall is to turn off a whole bunch of protocols in uTorrent that the firewall can't block such as DHT. Which I would have to assume would slow down the torrents?So I tried using the Comodo firewall to block uTorrent unless it was on your IP range. But I'm a bit confused about this. So say I want to connect to Castor. Should I be opening the IP range that I can see I am connected on the client? Or the IP ranges listed on your technical specs page? Then do I need to open an IP range for each different one of your servers I want to connect to? Also do I still seperately need to open an incoming port for the port forwarding? Sorry, I don't have a lot of experience with firewall setup, could really use some help.With Comodo, the procedure is simple and fast. When you connect to AirVPN, regardless of the server you're connected to, your TUN/TAP adapter is DHCP-assigned an IP address in the range specified by our Technical Specs page. https://airvpn.org/specs/Therefore, in order to block a program to send out packets when you're not connected to Air, just block (for any program you wish) any outgoing packet NOT coming from range 10.4.0.0->10.9.255.255, from any port to any port. Comodo supports both IP ranges (without need of CIDR notation) and the NOT operator.Open you Comodo control center, click on the tab "Firewall", select "Network Security Policy", click on the tab "Application Rules". Detect the application you want to block when not connected to Air, or add it in the list through the "Browse" command, right-click on the application entry, select "Edit rule" (or "Add rule" if the application has no rules), and define the rule as you can see in the attached image. Leave "Source Port" and "Destination Port" to "Any".Please do not hesitate to contact us for any further information.Kind regards 1 tie3278 reacted to this Quote Share this post Link to post
Orfeo 4 Posted ... Hello! Is there a good and easy way to block traffic when VPN disconnects for Mac OS X? Thanks 1 Lesweanty reacted to this Quote Share this post Link to post
Staff 9972 Posted ... Hello!Is there a good and easy way to block traffic when VPN disconnects for Mac OS X?ThanksHello!Mac OSX 10.6 was shipped with the FreeBSD ipfw firewall. If you're not comfortable with shell and command lines, ipfw has a practical frontend, Waterroof, that will allow you to set the aforementioned rules in order to block outgoing packets in case of accidental VPN disconnection:http://www.hanynet.com/waterroofipfw has been deprecated since Mac OSX 10.7 and 10.8. The powerful OpenBSD PF is now recommended, anyway ipfw+Waterroof will work.The PF GUI can be found on System Preferences: Security & Privacy: Firewall, unfortunately this GUI is too rudimentary so you'll probably have to set the rules in the pf.conf file.A quick how-to is here:http://www.obfuscation.org/ipf/www.inebriated.demon.nl/pf-howtoA quicker how-to is here:http://thenewtech.tv/community/openbsd-pf-on-mac-osx-lionThe following very basic rules would block all traffic outside the tunnel (edit with any text editor /etc/pf.conf) assuming that your ethernet or wifi interface has the address 192.168.*.* and that the tun interface used by OpenVPN is tun0:block out on <your_network_interface> from 192.168.0.0/16 to any pass out quick on <your_network_interface> from 192.168.0.0/16 to <AirVPN_server_entry_IP> pass out quick on tun0 from any to anyThen executepfctl -e pfctl -f /etc/pf.confto enable pf and load your ruleset. If the connection drops, no packets will go out, so you will be able only to reconnect to the VPN and nothing else until you disable pf with pfctl -d. Also, those rules will prevent DNS leakage.You might prepare automated scripts to enable and disable pf or to modify rules. Also, the above example is really rudimentary, so you might like to refine the pf behaviour. Please test always your rules to check whether they do what they are expected to.Please do not hesitate to contact us for any further information or support.Kind regards Quote Share this post Link to post
Staff 9972 Posted ... @OrfeoHello!Just an additional note, if you need your Mac to communicate with your internal network when connected to the VPN, assuming that your internal network has devices in 192.168.0.0/16:block out all pass out quick on <your_network_interface> from 192.168.0.0/16 to <AirVPN_server_entry_IP> pass out quick on <your_network_interface> from 192.168.0.0/16 to 192.168.0.0/16 pass out quick on tun0 from any to anyFinally, you may add as many "pass out ... to as you wish, listing all the Air servers entry-IP addresses, in order to switch swiftly from one server to another.Kind regards 1 qpham504 reacted to this Quote Share this post Link to post
Orfeo 4 Posted ... Thanks for your detailed response. I’m afraid the use of OpenBSD PF may be a bit too complicated for me at the moment. With your help, however, I stumbled upon a follow up to WaterRoof, IceFloor 1.1 (http://www.hanynet.com/icefloor/index.html), which has a frontend for Mac OS X 10.7 and later. Please, could you give me some advice about the settings in order to block outgoing packages in case of accidental VPN disconnection. Thanks a lot. Quote Share this post Link to post
Quark 0 Posted ... Hi, Im running AVG internet security 2012 and was wondering if you know how to block access to the internet for specific apps via my firewall if my vpn drops connection? Regards, Dave Quote Share this post Link to post
Staff 9972 Posted ... Thanks for your detailed response. I’m afraid the use of OpenBSD PF may be a bit too complicated for me at the moment. With your help, however, I stumbled upon a follow up to WaterRoof, IceFloor 1.1 (http://www.hanynet.com/icefloor/index.html), which has a frontend for Mac OS X 10.7 and later.Please, could you give me some advice about the settings in order to block outgoing packages in case of accidental VPN disconnection. Thanks a lot.Hello!Excellent. You will just have to add the rules posted in the previous messages in IceFloor. In the list of features, the author writes "edit main PF and anchors configuration files with the built-in editor". You can just do that and copy & paste the given rules. Just take care to identify the correct IP addresses and network cards.Please do not hesitate to contact us for any further information or support.Kind regards 2 pekUpsectc4 and Afterkitrow reacted to this Quote Share this post Link to post
Staff 9972 Posted ... Hi, Im running AVG internet security 2012 and was wondering if you know how to block access to the internet for specific apps via my firewall if my vpn drops connection?Regards,DaveHello!You should check whether AVG has the ability to set specific rules for each program as specified in the guidelines given for Comodo in this thread (for your comfort, your message has been moved here). AVG Manuals are available here:http://www.avg.com/us-en/downloads-documentationAVG FAQ & Tutorials: http://www.avg.com/us-en/faqPlease do not hesitate to contact us for any further support or information.Kind regards Quote Share this post Link to post
Orfeo 4 Posted ... Thanks again. – Now, after I copied to this set of rules block out on <my network_interface> from 192.168.0.0/16 to any pass out quick on tun0 from any to any into the file pf.con, I saved, reset, and reloaded the PF file. To my surprise, I was greeted with this message: PF ERROR! No ALTQ support in kernel ALTQ related functions disableb /etc/pf.conf.23: syntax error /etc/pf.conf:24: syntax error Do you have any idea what’s going wrong? I also wanted to use this rule: pass out quick on <your_network_interface> from 192.168.0.0/16 to <AirVPN_server_entry_IP> but I couldn’t find the AirVPN_server_entry_IP. Could you provide me with a fool proofed how to do? Nothing could be too simple, at least for me. Thanks Quote Share this post Link to post
Staff 9972 Posted ... Thanks again. – Now, after I copied to this set of rules block out on from 192.168.0.0/16 to anypass out quick on tun0 from any to anyinto the file pf.con, I saved, reset, and reloaded the PF file. To my surprise, I was greeted with this message:PF ERROR! No ALTQ support in kernelALTQ related functions disableb/etc/pf.conf.23: syntax error/etc/pf.conf:24: syntax errorDo you have any idea what’s going wrong? I also wanted to use this rule:pass out quick on from 192.168.0.0/16 to but I couldn’t find the AirVPN_server_entry_IP. Could you provide me with a fool proofed how to do? Nothing could be too simple, at least for me. ThanksHello!PF needs ALTQ (Alternate Queing for Network Packets) kernel support to use all its features. Alternate queuing of network packets provides disciplines for queuing outgoing network packets (for example traffic shaping) in *BSD based systems. Apparently your Mac OSX does not come with a kernel built with this support or your network card driver does not support ALTQ functions, however you should not need them for basic firewall operations: PF will just run with disabled ALTQ functions. You can't recompile and build Mac OSX kernel (it's not open source).The default configuration file read by pf is pf.conf, not pf.con (if it was just a mistyping on your message, ignore this warning).Lines 23 and 24 have a syntax error, feel free to paste pf.conf here.You can find the entry-IP address by watching at the line with directive "remote" in the air.ovpn configuration file you have (just display it with the cat command or open it with any text editor).Please do not hesitate to contact us for any further information.Kind regards Quote Share this post Link to post
Orfeo 4 Posted ... Hello „Lines 23 and 24 have a syntax error, feel free to paste pf.conf here.“ # # Default PF configuration file. # # This file contains the main ruleset, which gets automatically loaded # at startup. PF will not be automatically enabled, however. Instead, # each component which utilizes PF is responsible for enabling and disabling # PF via -E and -X as documented in pfctl(8). That will ensure that PF # is disabled only when the last enable reference is released. # # Care must be taken to ensure that the main ruleset does not get flushed, # as the nested anchors rely on the anchor point defined here. # # See pf.conf(5) for syntax. # # # com.apple anchor point # nat-anchor "com.apple/*" rdr-anchor "com.apple/*" anchor "com.apple/*" load anchor "com.apple" from "/etc/pf.anchors/com.apple" block out on en0 from 192.168.0.0/16 to any pass out quick on tun0 from any to any Please have a look at it. I really appreciate your support. Quote Share this post Link to post
Staff 9972 Posted ... @OrfeoHello!What happens with the following rules?block out all pass out quick from 127.0.0.1 to any pass out quick from 192.168.0.0/16 to <AirVPN_server_entry_IP> pass out quick from 10.0.0.0/8 to any pass out quick from 192.168.0.0/16 to 192.168.0.0/16Kind regards Quote Share this post Link to post
Orfeo 4 Posted ... Hello! I pasted the new set of rules into the pf.conf file and received this message after I tried to reset and reload: PF ERROR! No ALTQ support in kernel ALTQ related functions disabled /etc/pf.conf:23: syntax error Here again the set of rules I pasted into the pf.conf file. block out all pass out quick from 127.0.0.1 to any pass out quick from 192.168.0.0/16 to 62.212.85.65 443 pass out quick from 10.0.0.0/8 to any pass out quick from 192.168.0.0/16 to 192.168.0.0/16 Thanks for your effort. Quote Share this post Link to post
Staff 9972 Posted ... Hello!I pasted the new set of rules into the pf.conf file and received this message after I tried to reset and reload:PF ERROR! No ALTQ support in kernelALTQ related functions disabled/etc/pf.conf:23: syntax errorHere again the set of rules I pasted into the pf.conf file.block out all pass out quick from 127.0.0.1 to any pass out quick from 192.168.0.0/16 to 62.212.85.65 443 pass out quick from 10.0.0.0/8 to any pass out quick from 192.168.0.0/16 to 192.168.0.0/16Thanks for your effort.Hello!What is that 443 in line pass out quick from 192.168.0.0/16 to 62.212.85.65 443? Please delete it.Kind regards Quote Share this post Link to post
Orfeo 4 Posted ... Hallo! „What is that 443 ...“? The 443 is part of the „remote“ info in the air.ovpn configuration file. It seems to be the port number. I deleted the 443 and still get this message: PF ERROR! No ALTQ support in kernel ALTQ related functions disabled /etc/pf.conf:23: syntax error So I guess the line with is syntax error is still this: pass out quick from 192.168.0.0/16 to 62.212.85.65 But, of course, I am not sure. This complete paste of the pf.conf file now reads like this: # # Default PF configuration file. # # This file contains the main ruleset, which gets automatically loaded # at startup. PF will not be automatically enabled, however. Instead, # each component which utilizes PF is responsible for enabling and disabling # PF via -E and -X as documented in pfctl(8). That will ensure that PF # is disabled only when the last enable reference is released. # # Care must be taken to ensure that the main ruleset does not get flushed, # as the nested anchors rely on the anchor point defined here. # # See pf.conf(5) for syntax. # # # com.apple anchor point # nat-anchor "com.apple/*" rdr-anchor "com.apple/*" anchor "com.apple/*" load anchor "com.apple" from "/etc/pf.anchors/com.apple" block out all pass out quick from 127.0.0.1 to any pass out quick from 192.168.0.0/16 to 62.212.85.65 pass out quick from 10.0.0.0/8 to any pass out quick from 192.168.0.0/16 to 192.168.0.0/16 Any idea what’s wrong? Thanks. Quote Share this post Link to post
Staff 9972 Posted ... Hallo!„What is that 443 ...“?The 443 is part of the „remote“ info in the air.ovpn configuration file. It seems to be the port number.I deleted the 443 and still get this message:PF ERROR! No ALTQ support in kernelALTQ related functions disabled/etc/pf.conf:23: syntax errorSo I guess the line with is syntax error is still this:pass out quick from 192.168.0.0/16 to 62.212.85.65 Hello!Locate line 23 to be sure to identify which line is giving syntax error. Also, make sure that after the copy & paste you have not inserted characters which may cause problems to the pf parser, for example CR+LF. Also, each line must be terminated with a CR, including the last line. Refer finally to your pf man page to check whether the syntax of your pf version is slightly different.Kind regards 1 Lesweanty reacted to this Quote Share this post Link to post
Orfeo 4 Posted ... Hallo! When I count the lines of the pf file, the one with the syntax error is this: block out all So, for a test, I deleted the line, reset and reloaded the pf.conf –– and did’t receive an error message! The message I got simply reads: PF firewall reset, configuration reloaded from /etc/pf.con But is this what I want? Will the firewall now block outgoing packages in case of vpn disconnection? Thanks Quote Share this post Link to post
Staff 9972 Posted ... Hallo!When I count the lines of the pf file, the one with the syntax error is this:block out allSo, for a test, I deleted the line, reset and reloaded the pf.conf –– and did’t receive an error message!The message I got simply reads:PF firewall reset, configuration reloaded from /etc/pf.conBut is this what I want? Will the firewall now block outgoing packages in case of vpn disconnection?ThanksHello!No, this is not what you want, the firewall will not block anything without that rule.Replace it with:block out from 192.168.0.0/16 to anyPF will block any outgoing packet from 192.168.*.*, except those which match the subsequent "pass out" rules.If there are no more syntax errors, test the configuration. Activate pf. Now you should lose your Internet connectivity, except toward Lyra. Connect to Air server Lyra entry-IP (62.212.85.65), any port. The connection should succeed thanks to the relevant pass out rule. Now you should have full connectivity. Launch a bittorrent client, share some redistributable content. Let it work for some minutes. Then, disconnect from the VPN. If everything is ok, you should immediately see a total drop of outgoing packets from any application, including the bittorrent client.Anyway, you should investigate further, because "block out all" is a perfectly legal directive on any pf version.Kind regards Quote Share this post Link to post
Orfeo 4 Posted ... Hello! The insertion of the new rule didn’t cause a syntax error message. I will test the new configuration in a little while and report back. Thanks a lot! 1 Michaelalofs reacted to this Quote Share this post Link to post
sark1138 23 Posted ... I've seen the VPN/Firewall Blocking instructions for Comodo. You wouldn't happen to have instructions for a recent version of Norton would you? My experience with networking issues is pretty weak. 22 Pabbbdqc, Semtur, Slavogrv and 19 others reacted to this Quote Share this post Link to post
Staff 9972 Posted ... I've seen the VPN/Firewall Blocking instructions for Comodo. You wouldn't happen to have instructions for a recent version of Norton would you? My experience with networking issues is pretty weak.Hello!We're sorry, currently we don't provide step-by-step support for Symantec products. Symantec products are commercial products which offer full customer support, so you might try to have support from their team. You could:- replicate the rules suggested for any firewall in the forum (Comodo, PF...) on your Norton Firewall- switch to Comodo: independent peer-reviews performed with high-standard leak tests show that Comodo Firewall in terms of security is highly superior to Norton Firewall (we underline "firewall"); in severe leak tests Norton Firewall 2012 protection rates as "NONE" (!!!) while Comodo rates as "excellent", see for example http://www.matousec.com/projects/proactive-security-challenge/results.php- Comodo is not open source but it's freely redistributable, see https://personalfirewall.comodo.comThe only software firewalls for old Windows OS that are not useless (or dangerous) toys are (% shows the percentage of passed leak tests, the higher the better):Comodo Internet Security 5.3.176757.1236FREE 100 %Online Solutions Security Suite 1.5.14905.0 99%Privatefirewall 7.0.25.4FREE 98 %Outpost Security Suite Free 7.0.4.3418.520.1245.401FREE 97%Outpost Security Suite Pro 7.5.1.3791.596.1681 97% BitDefender Internet Security 2011 14.0.30.357 97 %Kaspersky Internet Security 2012 12.0.0.374 93 %Malware Defender 2.7.3.0002FREE 91%Norton Internet Security 2012 has 20% (protection "none").For the most updated "Proactive Security Challenge", see http://www.matousec.com/projects/proactive-security-challenge-64/results.php. This new challenge shows that apart from Comodo (94%), a secure firewall for 64-bit Windows versions does not exist.Kind regards 1 Lesweanty reacted to this Quote Share this post Link to post
sark1138 23 Posted ... Thank you. This is very helpful information. I was planning on finding an alternative for Norton, and this helped me determine what anti-virus/firewall combination I will likely go with. 1 Afterkitrow reacted to this Quote Share this post Link to post
Orfeo 4 Posted ... Hallo! When I count the lines of the pf file, the one with the syntax error is this: block out all So, for a test, I deleted the line, reset and reloaded the pf.conf –– and did’t receive an error message! The message I got simply reads: PF firewall reset, configuration reloaded from /etc/pf.con But is this what I want? Will the firewall now block outgoing packages in case of vpn disconnection? Thanks Hello! No, this is not what you want, the firewall will not block anything without that rule. Replace it with: <code>block out from 192.168.0.0/16 to any</code> PF will block any outgoing packet from 192.168.*.*, except those which match the subsequent "pass out" rules. If there are no more syntax errors, test the configuration. Activate pf. Now you should lose your Internet connectivity, except toward Lyra. Connect to Air server Lyra entry-IP (62.212.85.65), any port. The connection should succeed thanks to the relevant pass out rule. Now you should have full connectivity. Launch a bittorrent client, share some redistributable content. Let it work for some minutes. Then, disconnect from the VPN. If everything is ok, you should immediately see a total drop of outgoing packets from any application, including the bittorrent client. Anyway, you should investigate further, because "block out all" is a perfectly legal directive on any pf version. Kind regards Hello! It works! It works! You guys did a fantastic job. Excellent support! I’m a complete vpn-novice and now I even have a firewall. Thanks a lot. As to the error message caused by the insertion of the rule “block out any” in the pf.conf file: Could is be due to a conflict with the standard setting of IceFloor which allows access to LAN? The new rules in the pf.conf file are represented by IceFloor in the frontend “Manage PF rules” panel in this way: anchor "com.apple/*" block drop out inet from 192.168.0.0/16 to any pass out quick inet from 192.168.0.0/16 to 62.212.85.65 flags S/SA keep state pass out quick inet from 192.168.0.0/16 to 192.168.0.0/16 flags S/SA keep state pass out quick inet from 127.0.0.1 to any flags S/SA keep state pass out quick inet from 10.0.0.0/8 to any flags S/SA keep state Again, thanks a lot. Quote Share this post Link to post
Not connected, Your IP: 13.59.2.242
Online: 25546 users - 295452 Mbit/s total BW