Staff 9973 Posted ... Hello!It works! It works!You guys did a fantastic job. Excellent support! I’m a complete vpn-novice and now I even have a firewall. Thanks a lot.As to the error message caused by the insertion of the rule “block out any” in the pf.conf file: Could is be due to a conflict with the standard setting of IceFloor which allows access to LAN?The new rules in the pf.conf file are represented by IceFloor in the frontend “Manage PF rules” panel in this way:anchor "com.apple/*"block drop out inet from 192.168.0.0/16 to anypass out quick inet from 192.168.0.0/16 to 62.212.85.65 flags S/SA keep statepass out quick inet from 192.168.0.0/16 to 192.168.0.0/16 flags S/SA keep statepass out quick inet from 127.0.0.1 to any flags S/SA keep statepass out quick inet from 10.0.0.0/8 to any flags S/SA keep stateAgain, thanks a lot.Hello!Thank you for your nice words. We're glad to know that you have managed to have a working and secure setup. If there was a conflict, the message should not have been "syntax error", but something different. Anyway, "block out any"? The rule is "block out all".Kind regards Quote Share this post Link to post
kingsroadberkshire 0 Posted ... Hi, I have a Windows 7 laptop. I am using standard Windows Firewall. I would like to know how to cut-off internet access (particularly for uTorrent and Opera internet browser) if the AirVpn connection is broken. I am using airvpn using direct access (i.e., downloaded the air profile into openvpn folder and connected directly). Thank you. Quote Share this post Link to post
Staff 9973 Posted ... Hi,I have a Windows 7 laptop. I am using standard Windows Firewall.I would like to know how to cut-off internet access (particularly for uTorrent and Opera internet browser) if the AirVpn connection is broken.I am using airvpn using direct access (i.e., downloaded the air profile into openvpn folder and connected directly).Thank you.Hello!Please see https://airvpn.org/index.php?option=com_kunena&func=view&catid=3&id=1713&Itemid=142#1715 and subsequent messages on this very same thread.Currently Comodo Firewall is the only software firewall for 64-bit Windows systems which passes important leak tests, so it is highly recommended not to trust any other software firewall.Kind regards Quote Share this post Link to post
kingsroadberkshire 0 Posted ... Thank you. For Comodo Firewall, is it the free version or do I need to buy the paid version? Quote Share this post Link to post
jmann9000 0 Posted ... The Free Version will work perfectly with Windows 7. Quote Share this post Link to post
ana.pofuk 0 Posted ... Hello Solution with Coodo is really straightforward. Are you maye aware of any Linux (ubuntu) solution, which can be used as Comodo on Windows? Default gufw can not be configured that way, I haven't been able to find a proper simple solution.... Thank you Quote Share this post Link to post
Staff 9973 Posted ... HelloSolution with Coodo is really straightforward.Are you maye aware of any Linux (ubuntu) solution, which can be used as Comodo on Windows?Default gufw can not be configured that way, I haven't been able to find a proper simple solution....Thank youEDITED ON 21 Aug 12EDITED ON 24 Nov 12: added important note for some Linux users, see bottom of messageHello!You can use iptables, a very powerful packet filtering and NAT program (probably one of the most powerful, if not the most powerful of all). iptables is already included in all official Ubuntu distros and most Linux distros, anyway if you don't have it just install it with aptitude.Adding the following simple rules will prevent leaks in case of [accidental] VPN disconnection. In this example, it is assumed that your network interface is eth+ (change it as appropriate; for example, you might have wlan0 for a WiFi connection). a.b.c.d is the entry-IP address of the Air server you connect to. You can find out the address simply looking at the line "remote" of your air.ovpn configuration file. In case of doubts, just ask us. Some of the following rules might be redundant if you have already chains.Assumptions: you are in a 192.168.0.0/16 network and your router is a DHCP server. You have a a physical network interface named eth*. The tun adapter is tun* and the loopback interface is lo.iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT #allow loopback access iptables -A OUTPUT -d 255.255.255.255 -j ACCEPT #make sure you can communicate with any DHCP server iptables -A INPUT -s 255.255.255.255 -j ACCEPT #make sure you can communicate with any DHCP server iptables -A INPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT #make sure that you can communicate within your own network iptables -A OUTPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT iptables -A FORWARD -i eth+ -o tun+ -j ACCEPT iptables -A FORWARD -i tun+ -o eth+ -j ACCEPT # make sure that eth+ and tun+ can communicate iptables -t nat -A POSTROUTING -o tun+ -j MASQUERADE # in the POSTROUTING chain of the NAT table, map the tun+ interface outgoing packet IP address, cease examining rules and let the header be modified, so that we don't have to worry about ports or any other issue - please check this rule with care if you have already a NAT table in your chain iptables -A OUTPUT -o eth+ ! -d a.b.c.d -j DROP # if destination for outgoing packet on eth+ is NOT a.b.c.d, drop the packet, so that nothing leaks if VPN disconnects When you add the above rules, take care about pre-existing rules, if you have already some tables, and always perform a test to verify that the subsequent behavior is what you expect: when you disconnect from the VPN, all outgoing traffic should be blocked, except for a reconnection to an Air server.In order to block specific programs only, some more sophisticated usage of iptables is needed, and you will also need to know which ports those programs use. See "man iptables" for all the features and how to make the above rules persistent or not according to your needs.Warning: the following applies ONLY for Linux users who don't have resolvconf installed and don't use up & down OpenVPN client scriptsIn this case, your system has no way to process the DNS push from our servers. Therefore your system will just tunnel the DNS queries with destination the DNS IP address specified in the "nameserver" lines of the /etc/resolv.conf file. But if your first nameserver is your router IP, the queries will be sent to your router which in turn will send them out unencrypted. Solution is straightforward: edit the /etc/resolv.conf file and add the following line at the top (just an example, of course you can use any of your favorite DNS, as long as it is NOT your router):nameserver 10.4.0.1 # in order to use AirVPN DNS nameserver 8.8.8.8 # in order to use Google DNS only if AirVPN DNS is unavailableKind regards Quote Share this post Link to post
JamesDean 10 Posted ... Is there any way to disable a rule in Comodo? I like being able to block on VPN drop, but sometimes I'd like to access sites using my ISP. I can't find a way, other than deleting and recreating the rule each time...which is a pain. I currently created an application rule for Firefox and tested that it works (It does). I wonder if there is a way to create 2 Global rules, and then move one abve the other when needed...does Comodo work like a traditional firewall where the allow rule above the deny rule is respected? Thanks, JD Edit: I gues I could close the VPN and uncheck the Exclude box as a work around, correct? Quote Share this post Link to post
Staff 9973 Posted ... Is there any way to disable a rule in Comodo? I like being able to block on VPN drop, but sometimes I'd like to access sites using my ISP. I can't find a way, other than deleting and recreating the rule each time...which is a pain. I currently created an application rule for Firefox and tested that it works (It does). I wonder if there is a way to create 2 Global rules, and then move one abve the other when needed...does Comodo work like a traditional firewall where the allow rule above the deny rule is respected? Thanks,JDEdit: I gues I could close the VPN and uncheck the Exclude box as a work around, correct?Hello!The "Exclude" tick might or might not work properly (it works as a NOT operator), it depends on your configuration.Probably the most straightforward way is switching from your "Custom Policy" (when connected to the VPN) to "Safe Mode" (when you want connectivity without the VPN), because to do that you just need to right-click on the Comodo dock icon.Kind regards 1 gymoumma reacted to this Quote Share this post Link to post
JamesDean 10 Posted ... Thanks. The Exclude switch works. When unchecked, it will block the VPN and allow anything else. Since the VPN is shut down, it doesn't matter. Pretty decent work around. JD Quote Share this post Link to post
ana.pofuk 0 Posted ... a.b.c.d is the entry-IP address of the Air server you connect to. You can find out the address simply looking at the line "remote" of your air.ovpn configuration file. Some of the following rules might be redundant if you have already chains. <code>iptables -I FORWARD -i eth+ -o tun+ -j ACCEPT iptables -I FORWARD -i tun+ -o eth+ -j ACCEPT # make sure that eth+ and tun+ can "communicate" iptables -I INPUT -i tun+ -j REJECT iptables -t nat -A POSTROUTING -o tun+ -j MASQUERADE # in the POSTROUTING chain of the NAT table, map the tun+ interface outgoing packet IP address, cease examining rules and let the header be modified, so that we don't have to worry about ports or any other issue - please check this rule with care if you have already a NAT table in your chain iptables -I OUTPUT -o eth+ ! --dst a.b.c.d -j DROP # if destination for outgoing packet on eth+ is NOT a.b.c.d, drop the packet, so that nothing leaks if VPN disconnects # the above line can be duplicated for as many Air servers as you wish to connect to, just insert the appropriate Air server entry-IP </code> Kind regards hi i've tried this approach, but it didn't work with me, it seems it blocked all traffic. it was a good start, i did some research, it seems tun interface is the one communicating with the VPN server, so I did this: iptables -A OUTPUT -o tun0 -j ACCEPT iptables -A OUTPUT -d a.b.c.d -j ACCEPT iptables -A OUTPUT -j DROP didn't check completely, but it seems to be working 1 Michaelalofs reacted to this Quote Share this post Link to post
jessez 3 Posted ... Thanks to the airvpn techs and Orfeo for the work with the pf firewall. What a nightmare I've had trying to get it working right! I don't want the Apple anchor and do want dns through privacyfoundation.de, so this is my working pf.conf for anyone else to use. It has all the Gb servers except the one in the UK. Also with pf.conf on the mac, the last line needs to have a return, so when the cursor is on the last line, you should be able to use the right or down arrows and the cursor drop one line down only. Anymore than that backspace it out.Using this in terminal will show exactly what the rules are that will load and point out any errors:sudo pfctl -vvv -f /etc/pf.conffor some reason you still have to do: sudo pfctl -eto start the firewall.Best regards to all,jz# pf.conf# Drop everything that doesn't match a ruleblock drop out inet from 192.168.0.0/16 to any# Swiss DNSpass out quick inet from 192.168.0.0/16 to 87.118.104.203 flags S/SA keep statepass out quick inet from 192.168.0.0/16 to 87.118.109.2 flags S/SA keep state# Airvpn; Tauri, Castor, Draconis, Sirius, Vegapass out quick inet from 192.168.0.0/16 to 46.165.208.65 flags S/SA keep statepass out quick inet from 192.168.0.0/16 to 95.211.169.3 flags S/SA keep statepass out quick inet from 192.168.0.0/16 to 178.248.29.132 flags S/SA keep statepass out quick inet from 192.168.0.0/16 to 108.59.8.147 flags S/SA keep statepass out quick inet from 192.168.0.0/16 to 69.163.36.66 flags S/SA keep state# Local networkpass out quick inet from 192.168.0.0/16 to 192.168.0.0/16 flags S/SA keep state# Allow all on lo0pass out quick inet from 127.0.0.1 to any flags S/SA keep state# Everything tunneledpass out quick inet from 10.0.0.0/8 to any flags S/SA keep stateModified by jzHere is modifications to pf.conf:https://airvpn.org/index.php?option=com_kunena&func=view&catid=3&id=2935&Itemid=142#2935 Quote Share this post Link to post
slackerofthemind 0 Posted ... Thanks to everyone who has contributed here. Have any Mac users managed to set-up Waterroof rules (for 10.6.8)? If so, would you be willing to export & share these? Quote Share this post Link to post
galilao 2 Posted ... Hello, I launched Waterroof, but how do I key in these commands? Thank you Quote Share this post Link to post
jessez 3 Posted ... Hi, There aren't any rules in this article for ipfw ( WaterRoof being a front-end for ipfw ). The ones above ( and the others that mention pf ) are for the pf firewall; only available in Mac Lion, BSD, and some other UNIX variants. iptables is only used in Linux anymore as far as I know. What operating system are you using? If necessary I could set up some rules for ipfw if slackerofthemind and/or galilao are willing to test them. Best jz Quote Share this post Link to post
slackerofthemind 0 Posted ... Sure, I'd be more than happy to test out the Waterroof rules, thanks! Having not used Waterroof before I'm simply finding it a pain to mimic similar rules above, and I don't have the time to dig deep into this at the moment. Waterroof wasn't accepting IP addresses in the value(s) fields so I simply gave up on it --- it was giving me error messages when inputing AirVPN X.X.XX.XX IPs as allowable addresses. Couldn't figure out why. Ideally I'd like to haev *all AirVPN* IP addresses on UDP/TCP included so that whatever I connect to is cleared. I've also looked into using Little Snitch but though you can easily block All Application traffic there is no easy way of allowing traffic to a set of IP ranges to All Applications. Happy to test & refine but what I really need is an example of a Waterroof ruleset. Quote Share this post Link to post
galilao 2 Posted ... Hello, I am running OS 10.5.8. Yes, I am willing to test the program. Thanks. 1 MatthewEt reacted to this Quote Share this post Link to post
jessez 3 Posted ... Hi, slackerofthemind: I've never seen a problem with WaterRoof like that (You may end up having to uninstall it and reinstall, but we'll see what happens when you import rules). What version of MacOS are you running? No problem to add all the servers, there's a list on here somewhere that has them all, so I'll find that for reference. Little Snitch doesn't have the capability of doing this kind of firewalling, I use it myself to limit apps that have network access, but that's about all it's good for other than monitoring what apps are trying to make outgoing connections. galilao: ok, you have to use the ipfw as Leopard-10.5.x (and SnowLeopard-10.6.x - if you upgrade at any time) only has that capability for firewalling. Ok, I'll put some rules together and post the file for import into WaterRoof. It may take me a day or two (so you have a time-frame). Regards to you both, jz Quote Share this post Link to post
jessez 3 Posted ... This is only for MacOSX/UNIX using the IPFW firewall. It not for Windows or Linux! Ok for the Mac users; I set up some ipfw rules and will post 4 files. I ran the shell script and tested it sucessfully, therefore manually adding everything at the command line should work. What I didn't test was the import into WaterRoof, and also some more testing could be done to make sure nothing gets out except through AirVPN. I tested browser, email client and VOIP client successfully ( odd to say this, but... ) not connecting to anything …lol Let me know about any errors, ommisions, changes or additions so I can fix them, Thanks! 1st file ) I would recommend saving: AirVPN-tutorial.txt. If you don't and then can't get internet access to do troubleshooting, well, you were advised to save it 2nd file ) AirVPN-script.sh which will setup everything automatically for you. For anyone that doesn't know how to run a shell script: open a terminal and cd to the place you saved the AirVPN-script.sh file. ie: cd /home/<your-username-here>/Downloads Then copy and paste this at the terminal prompt: sh ./AirVPN-script.sh Type y when prompted. Check the rules and that ipfw is running: ipfw -a list This command will also show you which rules are passing and blocking packets, which is useful for troubleshooting, and confirming every packet is going through AirVPN 3rd file ) AirVPN-Commandline&Documentation.txt This is just the rules and some documentation to let the reader know what each item is doing. Anyone that uses the airvpn-script can check what it does by reading this file. The rules can be copy pasted to the terminal if you like doing everything manually and/or selecting which airvpn servers you want to allow connections to. 4th file ) airvpn-ipfw-ruleset ( if it ends up with .txt as an extension delete the .txt - this file has no extension for import in WaterRoof ) This is the ruleset that should be import-able into WaterRoof and possibly other ipfw front-end software like NoobProof and maybe DoorStop. A word of caution here: if you are using a frontend to ipfw, make sure all it's default rules are flushed first. I think ones like WaterRoof, NoobProof and DoorStop have default rules setup that will nullify any benefit of using the ruleset provided here. If you are unable to flush rule number 65535 or it returns after flushing, don't worry; rule 65534 denies everything that gets that far through the firewall rules. If you are watching the log, you will see all the denials in rules numbered 65000 to 65634 README: Lastly, I have done this for the benefit of AirVPN users. Therefore I accept no liability for anything whatsoever, whether I put it in the rules or instructions, or you as the user change anything. I have done my best to block anything from going in or out of your internet connection unless you are connected to AirVPN, so make sure you are connected before wondering why your browser, email, VOIP, or whatever else isn't connecting. TROUBLESHOOTING: If you cannot connect to AirVPN after running the script, adding anything manually, or importing the ruleset into WaterRoof, run the following at the command prompt: sudo ipfw flush That will flush the rules and give you direct access to the internet through your isp so you can get support for whatever the problem is. If that doesn't work; sudo ipfw disable firewall sudo ipfw flush sudo ipfw enable firewall Source: man ipfw ; If the world and the kernel get out of sync the ipfw ABI may break, preventing you from being able to add any rules. This can adversely effect the booting process. You can use: sudo ipfw disable firewall to temporarily disable the firewall to regain access to the network, allowing you to fix the problem Or for worst case scenario: sudo sysctl -w net.inet.ip.fw.enable=0 which will stop the firewall from loading at boot, so paste sudo sysctl -w net.inet.ip.fw.enable=0 in the terminal, hit enter, reboot the mac, and you'll be clean with no ipfw firewalling when it restarts.AirVPN-tutorial.txt Quote Share this post Link to post
jessez 3 Posted ... OK, sorry I had to change the extension of AirVPN-script.sh and airvpn-ipfw-ruleset to comply with the forum attachment rules, so just take the .txt off of each of those to make them usable.AirVPN-script.sh.txt Quote Share this post Link to post
jessez 3 Posted ... Nope, this is the last one, sorry I couldn't get them all in one post. Best regards, jzAirVPN-CommandlineDocumentation.txt Quote Share this post Link to post
galilao 2 Posted ... Hello, I found the AirVPN-tutorial file. I was searching on the Home page, then realized it was an attachment. Thank you Quote Share this post Link to post
gopal 0 Posted ... Hi, Any idea how to do these setting on Vipre Firwall. I an't seem to get it working. Gopal Quote Share this post Link to post
jessez 3 Posted ... Hi all, galileo, you're welcome. Let me know how the testing goes. gopal; I'm sorry I'm not familiar with the Vipre software and can't really help you with that. If it allows manually adding and deleting rules, there should be some way to do it though. Perhaps the admins or someone familiar with that software can help. Best regards, jz Quote Share this post Link to post