Win - Mac - BSD Block traffic when VPN disconnects

[Staff 9972]

@ergolon

Hello!

It was assumed that your client was running in a *BSD machine (OpenBSD, FreeBSD, Mac OSX...) with pf. If you connect through your DD-WRT router, then you must not set the firewall rules specified by the tutorial by jessez on your *BSD device. In order to secure your connection you will have to use iptables on the DD-WRT.

It's definitely correct that your forward ports in your home network. The warning pertains to forwarding ports in the router physical network interface which communicates with the "outside", which would be dangerous.

Kind regards

[Guest ergolon]

@admin:

Nope, you were right, although I´m using a DD-WRT router (and I might as well try to setup AirVPN for my router some day), I connect to the AirVPN servers with my Mac (through Shimo [http://www.chungwasoft.com/shimo/] to be precise). So the port forwarding problem from post #4303 persists... any ideas?

Thanks!

[Guest ergolon]

*bump* see post above

[Mistergigahertz 0]

Hi!

I've imported the ruleset into Waterproof, but if I turn of airVPN, I can still connect to everything. I also tried adding the script in terminal with the same result.

What to do what to do?

[Staff 9972]

@Mistergigahertz

Can you please make sure that ipfw is running and applying the correct rules?

Kind regards

[Necromacy1 0]

Hello!

I'm new to VPN services and on using the Terminal so I'm still experimenting as I have for the past 2 hours. I'm running on Mountain Lion Mac OSX and have installed the VPN client TunnelBlick and created the necessary certificates to connect to the VPN servers.

I can confirm that the majority of my traffic data is what showed on the AirVPN website. However after reviewing a website http://www.dnsleaktest.com I've discovered that several local servers that belong to my ISP were detected so I must not have a "complete" tunnel. I've restarted all applications and computer, being sure to start the client first.

I've searched and seen the very helpful information posted by Jessez in regards to halting DNS leaks, and seemed to get a part of the script working, however when attempting to use the command

ipfw -a list

I got an error

Operation not permitted

The list I realize was not tantamount to getting it to work, however I still seem to be having trouble. Can anyone help me in setting up my system so 100% of my network traffic is moving through the VPN server?

Thank you!

[galilao 2]

Hello:

I only have Snow Leopard, but you can try going to Network in System Preferences and selecting the DNS tab. This will enable you to type in the addresses of the DNS servers you want, for example from the Swiss Privacy Foundation. Sometimes the modem provided by your ISP will lock the DNS server setting in the ROM as Clearwire does. With the Clearwire modem, it was impossible for me to change the DNS servers. If this is your situation, it will be necessary to switch to a different ISP that allows its customers to program the modem to choose the DNS servers they want.

Hope this helps.

[Staff 9972]

Hello:

I only have Snow Leopard, but you can try going to Network in System Preferences and selecting the DNS tab. This will enable you to type in the addresses of the DNS servers you want, for example from the Swiss Privacy Foundation. Sometimes the modem provided by your ISP will lock the DNS server setting in the ROM as Clearwire does. With the Clearwire modem, it was impossible for me to change the DNS servers. If this is your situation, it will be necessary to switch to a different ISP that allows its customers to program the modem to choose the DNS servers they want.

Hope this helps.

Hello!

If the modem/router DNS are locked, you can anyway bypass them. Once you're inside the VPN you can use the VPN DNS or tunnel any DNS query you like over the VPN.

Kind regards

[galilao 2]

Hello:

My recollection is that even with the AirVPN connected the DNS leak test was still showing the Clearwire DNS servers. I had to change ISP to be able to select the DNS servers of my choice.

Thank you

[Staff 9972]

Hello:

My recollection is that even with the AirVPN connected the DNS leak test was still showing the Clearwire DNS servers. I had to change ISP to be able to select the DNS servers of my choice.

Thank you

Hello!

Of course, this may happen if your computer sends DNS queries to your locked router/modem. The locked router/modem will then send a query to your ISP DNS. In this case you need either to prevent leaks with our firewall guides or force the DNS resolution to the VPN DNS (10.4.0.1 https://airvpn.org/specs), so that the VPN query will be encrypted and encapsulated by your OpenVPN client, sent to our servers and finally processed by them. This gives the advantage to be able to access VPN internal services and bypass some ICE censorship which can't be bypassed with any other DNS.

Kind regards

[galilao 2]

Hello,

How do I force the DNS resolution to 10.4.0.1?

Do I understand correctly that using a firewall with a locked router/modem, the DNS query won't go out through the locked router/modem, but it also means that the DNS query doesn't go out at all and I get no response?

Thank you

[Staff 9972]

Hello,

How do I force the DNS resolution to 10.4.0.1?

Hello!

It depends on your OS, which one are you using?

Do I understand correctly that using a firewall with a locked router/modem, the DNS query won't go out through the locked router/modem, but it also means that the DNS query doesn't go out at all and I get no response?

No DNS query will go out when you're disconnected from the VPN with the firewall recommended rules set in the computer which runs the client, regardless of a locked or not locked router (this is the reason for which we recommend, in some configurations, to add in the hosts file the airvpn.org resolution, otherwise reconnection with the Windows Air client would not be possible - no modification is necessary if you use OpenVPN directly). When that computer is connected to the VPN, only encrypted (tunneled) DNS queries will go out. The tunneled DNS queries not only can't be read by your ISP, but can't even be recognized as such.

Kind regards

[galilao 2]

Hello,

I am running Mac 10.5.8. and 10.6.8.

Thank you

[Staff 9972]

Hello,

I am running Mac 10.5.8. and 10.6.8.

Thank you

Hello!

In order to change DNS:

- Choose Apple menu > System Preferences, and then click Network.

- Select the network connection service/card you want to use in the list, and then click Advanced.

- Click DNS and enter the IP address of the VPN DNS server (10.4.0.1) as first

Repeat the process for every network card.

Kind regards

[RubeGoldberg 0]

Trouble getting this to work.

2012-11-27 20:56:03 *Tunnelblick client.up.tunnelblick.sh: Saved the DNS and WINS configurations for later use

2012-11-27 20:56:03 *Tunnelblick client.up.tunnelblick.sh: Set up to monitor system configuration with process-network-changes

2012-11-27 20:56:08 *Tunnelblick process-network-changes: A system configuration change was ignored because it was not relevant

2012-11-27 21:10:34 write UDPv4: Permission denied (code=13)

2012-11-27 21:10:45 write UDPv4: Permission denied (code=13)

2012-11-27 21:10:51 write UDPv4: Permission denied (code=13)

2012-11-27 21:10:51 write UDPv4: Permission denied (code=13)

2012-11-27 21:10:52 write UDPv4: Permission denied (code=13)

2012-11-27 21:10:52 write UDPv4: Permission denied (code=13)

2012-11-27 21:10:54 write UDPv4: Permission denied (code=13)

2012-11-27 21:10:54 write UDPv4: Permission denied (code=13)

2012-11-27 21:10:55 write UDPv4: Permission denied (code=13)

2012-11-27 21:10:56 write UDPv4: Permission denied (code=13)

2012-11-27 21:10:58 write UDPv4: Permission denied (code=13)

2012-11-27 21:10:58 write UDPv4: Permission denied (code=13)

2012-11-27 21:10:59 write UDPv4: Permission denied (code=13)

2012-11-27 21:11:06 write UDPv4: Permission denied (code=13)

2012-11-27 21:11:06 write UDPv4: Permission denied (code=13)

2012-11-27 21:11:08 write UDPv4: Permission denied (code=13)

2012-11-27 21:11:19 write UDPv4: Permission denied (code=13)

2012-11-27 21:11:22 write UDPv4: Permission denied (code=13)

2012-11-27 21:11:22 write UDPv4: Permission denied (code=13)

I'm running osx 10.6.8

Tried everything on this this thread to no avail. Enabled/Disabled the the Mac firewall and then ran the script. Tried importing the rules into waterproof.

I do have a program called TCPBlock, tried disabling it.

Tried the alternate script written for galilao. Checked the router address as well.

Any suggestions?

[Staff 9972]

Hello!

If you are 100% sure that nothing in your system is blocking Tunnelblick / OpenVPN, then the first option to be considered is that your ISP is blocking outbound port 443 UDP. Please try to change connection ports. Try 443 TCP, 80 UDP and 80 TCP.

Please feel free to let us know if the above solves your problem.

Kind regards

[RubeGoldberg 0]

443 UDP works fine whenever I don't try these rules.

[RubeGoldberg 0]

PS Here is what it looks like normally, without trying the suggested ipfw rules.

2012-12-02 16:05:37 *Tunnelblick: OS X 10.6.8; Tunnelblick 3.2.8 (build 2891.3099)

2012-12-02 16:05:38 *Tunnelblick: Attempting connection with AirVPN IT Crucis - UDP 443; Set nameserver = 1; monitoring connection

2012-12-02 16:05:38 *Tunnelblick: /Applications/Tunnelblick.app/Contents/Resources/openvpnstart start AirVPN\ IT\ Crucis\ -\ UDP\ 443.ovpn 1338 1 0 0 0 49 -atDASNGWrdasngw

2012-12-02 16:05:38 *Tunnelblick: openvpnstart: /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.2.1/openvpn --cd /Users/Ash/Library/Application Support/Tunnelblick/Configurations --daemon --management 127.0.0.1 1338 --config /Users/Ash/Library/Application Support/Tunnelblick/Configurations/AirVPN IT Crucis - UDP 443.ovpn --log /Library/Application Support/Tunnelblick/Logs/-SUsers-SAsh-SLibrary-SApplication Support-STunnelblick-SConfigurations-SAirVPN IT Crucis -- UDP 443.ovpn.1_0_0_0_49.1338.openvpn.log --management-query-passwords --management-hold --script-security 2 --up /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -m -w -d -atDASNGWrdasngw --down /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -m -w -d -atDASNGWrdasngw --up-restart

2012-12-02 16:05:39 *Tunnelblick: openvpnstart message: Loading tun.kext

2012-12-02 16:05:39 *Tunnelblick: Established communication with OpenVPN

2012-12-02 16:05:39 OpenVPN 2.2.1 i386-apple-darwin10.8.0 [sSL] [LZO2] [PKCS11] [eurephia] built on Aug 10 2012

2012-12-02 16:05:39 MANAGEMENT: TCP Socket listening on 127.0.0.1:1338

2012-12-02 16:05:39 Need hold release from management interface, waiting...

2012-12-02 16:05:39 MANAGEMENT: Client connected from 127.0.0.1:1338

2012-12-02 16:05:39 MANAGEMENT: CMD 'pid'

2012-12-02 16:05:39 MANAGEMENT: CMD 'state on'

2012-12-02 16:05:39 MANAGEMENT: CMD 'state'

2012-12-02 16:05:39 MANAGEMENT: CMD 'hold release'

2012-12-02 16:05:39 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

2012-12-02 16:05:39 WARNING: file 'user.key' is group or others accessible

2012-12-02 16:05:39 LZO compression initialized

2012-12-02 16:05:39 Control Channel MTU parms [ L:1558 D:138 EF:38 EB:0 ET:0 EL:0 ]

2012-12-02 16:05:39 Socket Buffers: R=[42080->65536] S=[9216->65536]

2012-12-02 16:05:39 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]

2012-12-02 16:05:39 Local Options hash (VER=V4): '22188c5b'

2012-12-02 16:05:39 Expected Remote Options hash (VER=V4): 'a8f55717'

2012-12-02 16:05:39 UDPv4 link local: [undef]

2012-12-02 16:05:39 UDPv4 link remote: 95.110.200.16:443

2012-12-02 16:05:39 MANAGEMENT: >STATE:1354493139,WAIT,,,

2012-12-02 16:05:39 MANAGEMENT: >STATE:1354493139,AUTH,,,

2012-12-02 16:05:39 TLS: Initial packet from 95.110.200.16:443, sid=669bbb21 ac82949c

2012-12-02 16:05:50 VERIFY OK: depth=1, /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=airvpn.org_CA/emailAddress=info@airvpn.org

2012-12-02 16:05:50 VERIFY OK: nsCertType=SERVER

2012-12-02 16:05:50 VERIFY OK: depth=0, /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=server/emailAddress=info@airvpn.org

2012-12-02 16:06:22 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key

2012-12-02 16:06:22 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

2012-12-02 16:06:22 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key

2012-12-02 16:06:22 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

2012-12-02 16:06:22 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA

2012-12-02 16:06:22 [server] Peer Connection Initiated with 95.110.200.16:443

2012-12-02 16:06:23 MANAGEMENT: >STATE:1354493183,GET_CONFIG,,,

2012-12-02 16:06:24 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)

2012-12-02 16:06:25 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.4.0.1,comp-lzo no,route 10.4.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.4.2.222 10.4.2.221'

2012-12-02 16:06:25 OPTIONS IMPORT: timers and/or timeouts modified

2012-12-02 16:06:25 OPTIONS IMPORT: LZO parms modified

2012-12-02 16:06:25 OPTIONS IMPORT: --ifconfig/up options modified

2012-12-02 16:06:25 OPTIONS IMPORT: route options modified

2012-12-02 16:06:25 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified

2012-12-02 16:06:25 ROUTE default_gateway=192.168.1.254

2012-12-02 16:06:25 TUN/TAP device /dev/tun0 opened

2012-12-02 16:06:25 MANAGEMENT: >STATE:1354493185,ASSIGN_IP,,10.4.2.222,

2012-12-02 16:06:25 /sbin/ifconfig tun0 delete

ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address

2012-12-02 16:06:25 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure

2012-12-02 16:06:25 /sbin/ifconfig tun0 10.4.2.222 10.4.2.221 mtu 1500 netmask 255.255.255.255 up

2012-12-02 16:06:25 /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -m -w -d -atDASNGWrdasngw tun0 1500 1558 10.4.2.222 10.4.2.221 init

No such key

2012-12-02 16:06:27 *Tunnelblick client.up.tunnelblick.sh: Retrieved name server(s) [ 10.4.0.1 ] and WINS server(s) [ ] and using default domain name [ openvpn ]

2012-12-02 16:06:27 *Tunnelblick client.up.tunnelblick.sh: Up to two 'No such key' warnings are normal and may be ignored

2012-12-02 16:06:27 *Tunnelblick client.up.tunnelblick.sh: Saved the DNS and WINS configurations for later use

2012-12-02 16:06:28 *Tunnelblick: Flushed the DNS cache

2012-12-02 16:06:28 /sbin/route add -net 95.110.200.16 192.168.1.254 255.255.255.255

add net 95.110.200.16: gateway 192.168.1.254

2012-12-02 16:06:28 /sbin/route add -net 0.0.0.0 10.4.2.221 128.0.0.0

add net 0.0.0.0: gateway 10.4.2.221

2012-12-02 16:06:28 /sbin/route add -net 128.0.0.0 10.4.2.221 128.0.0.0

add net 128.0.0.0: gateway 10.4.2.221

2012-12-02 16:06:28 MANAGEMENT: >STATE:1354493188,ADD_ROUTES,,,

2012-12-02 16:06:28 /sbin/route add -net 10.4.0.1 10.4.2.221 255.255.255.255

add net 10.4.0.1: gateway 10.4.2.221

2012-12-02 16:06:28 Initialization Sequence Completed

2012-12-02 16:06:28 MANAGEMENT: >STATE:1354493188,CONNECTED,SUCCESS,10.4.2.222,95.110.200.16

[jessez 3]

Hi RubeGoldberg,

Could you please post the ruleset you are using? I should be able to figure out what is going wrong. I have seen the same error you are having: "write UDPv4: Permission denied (code=13)" before, but just don't remember off the top of my head what the reason was. Anyway I will figure it out again and post it so we all have it documented.

Regards,

jz

[RubeGoldberg 0]

Thanks so much!

I was actually using the rules you posted in an earlier message on this thread.. Page 8. Tried the script as well as the command line. Then I tried the rules you wrote for galilao on page 12. Also changed the file permissions jic.

I have added- push "redirect-gateway def1" to all of my config files.. besides that I'm using the auto generated files from AirVpn.

I do have os x firewall turned on/set to application specific... as well as a program called TCPBlock... I have tried disabling them both.

[RubeGoldberg 0]

The rules you posted on page 12:

sudo sysctl -w net.inet.ip.fw.enable=0

sudo sysctl -w net.inet.ip.forwarding=0

sudo ipfw flush

sudo ipfw delete set 31

sudo /sbin/ipfw disable firewall

sudo /sbin/ipfw enable firewall

sudo sysctl -w net.inet.ip.fw.enable=1

sudo ipfw add 01000 allow ip from any to any via lo*

sudo ipfw add 01200 deny ip from any to 127.0.0.0/8

sudo ipfw add 01400 check-state

sudo ipfw add 01600 allow ip from any 67 to any 68 in

sudo ipfw add 01800 allow ip from any 5353 to any in

sudo ipfw add 02000 allow ip from 172.17.0.0/16 to 108.59.8.147 keep-state

sudo ipfw add 04000 allow ip from 127.0.0.1 to any

sudo ipfw add 05000 allow ip from 10.0.0.0/8 to any

sudo ipfw add 05200 allow ip from any to 10.0.0.0/8

sudo ipfw add 65534 deny log ip from any to any

sudo ipfw add 65535 allow ip from any to any

this is what I got :

-atDASNGWrdasngw --up-restart

2012-12-03 20:39:55 *Tunnelblick: openvpnstart message: Loading tun.kext

2012-12-03 20:39:55 *Tunnelblick: Established communication with OpenVPN

2012-12-03 20:39:55 OpenVPN 2.2.1 i386-apple-darwin10.8.0 [sSL] [LZO2] [PKCS11] [eurephia] built on Aug 10 2012

2012-12-03 20:39:55 MANAGEMENT: TCP Socket listening on 127.0.0.1:1337

2012-12-03 20:39:55 Need hold release from management interface, waiting...

2012-12-03 20:39:55 MANAGEMENT: Client connected from 127.0.0.1:1337

2012-12-03 20:39:55 MANAGEMENT: CMD 'pid'

2012-12-03 20:39:55 MANAGEMENT: CMD 'state on'

2012-12-03 20:39:55 MANAGEMENT: CMD 'state'

2012-12-03 20:39:55 MANAGEMENT: CMD 'hold release'

2012-12-03 20:39:55 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

2012-12-03 20:39:55 WARNING: file 'user.key' is group or others accessible

2012-12-03 20:39:55 LZO compression initialized

2012-12-03 20:39:55 Control Channel MTU parms [ L:1558 D:138 EF:38 EB:0 ET:0 EL:0 ]

2012-12-03 20:39:55 Socket Buffers: R=[42080->65536] S=[9216->65536]

2012-12-03 20:39:55 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]

2012-12-03 20:39:55 Local Options hash (VER=V4): '22188c5b'

2012-12-03 20:39:55 Expected Remote Options hash (VER=V4): 'a8f55717'

2012-12-03 20:39:55 UDPv4 link local: [undef]

2012-12-03 20:39:55 UDPv4 link remote: 108.59.8.147:443

2012-12-03 20:39:55 MANAGEMENT: >STATE:1354595995,WAIT,,,

2012-12-03 20:39:55 write UDPv4: Permission denied (code=13)

2012-12-03 20:39:57 write UDPv4: Permission denied (code=13)

2012-12-03 20:40:01 write UDPv4: Permission denied (code=13)

2012-12-03 20:40:09 write UDPv4: Permission denied (code=13)

2012-12-03 20:40:25 write UDPv4: Permission denied (code=13)

2012-12-03 20:40:55 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

2012-12-03 20:40:55 TLS Error: TLS handshake failed

2012-12-03 20:40:56 TCP/UDP: Closing socket

2012-12-03 20:40:56 SIGUSR1[soft,tls-error] received, process restarting

2012-12-03 20:40:56 MANAGEMENT: >STATE:1354596056,RECONNECTING,tls-error,,

2012-12-03 20:40:56 MANAGEMENT: CMD 'hold release'

2012-12-03 20:40:56 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

2012-12-03 20:40:56 WARNING: file 'user.key' is group or others accessible

2012-12-03 20:40:56 LZO compression initialized

2012-12-03 20:40:56 Control Channel MTU parms [ L:1558 D:138 EF:38 EB:0 ET:0 EL:0 ]

2012-12-03 20:40:56 Socket Buffers: R=[42080->65536] S=[9216->65536]

2012-12-03 20:40:56 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]

2012-12-03 20:40:56 Local Options hash (VER=V4): '22188c5b'

2012-12-03 20:40:56 Expected Remote Options hash (VER=V4): 'a8f55717'

2012-12-03 20:40:56 UDPv4 link local: [undef]

2012-12-03 20:40:56 UDPv4 link remote: 108.59.8.147:443

2012-12-03 20:40:56 MANAGEMENT: >STATE:1354596056,WAIT,,,

2012-12-03 20:40:56 write UDPv4: Permission denied (code=13)

2012-12-03 20:40:58 write UDPv4: Permission denied (code=13)

2012-12-03 20:41:02 write UDPv4: Permission denied (code=13)

2012-12-03 20:41:10 write UDPv4: Permission denied (code=13)

2012-12-03 20:41:26 write UDPv4: Permission denied (code=13)

2012-12-03 20:41:36 *Tunnelblick: Disconnecting; user cancelled

2012-12-03 20:41:36 event_wait : Interrupted system call (code=4)

2012-12-03 20:41:36 SIGTERM received, sending exit notification to peer

2012-12-03 20:41:41 TCP/UDP: Closing socket

2012-12-03 20:41:41 SIGTERM[soft,exit-with-notification] received, process exiting

2012-12-03 20:41:41 MANAGEMENT: >STATE:1354596101,EXITING,exit-with-notification,,

2012-12-03 20:41:42 *Tunnelblick: Flushed the DNS cache

Thanks for checkin it out!

[jessez 3]

Hi RubeGoldberg, No problem, but Thanks! for the Thanks...

Ok, I,ve made a new ruleset, I hope this one works for you but let me know if not and post the errors. I noticed from one of your previous posts that your router has IP address 192.168.1.254, so I made the ruleset to reflect that scenario. Again, let me know if that isn't correct, and if not, what the router address and/ or DHCP range is from your router/dhcp server, and we'll get the ruleset fixed up. I added notes in with the ruleset so you know what each line is doing, and also it should help other in future that would like to know what the rules are doing. Obviously don't include those notes if you make the ruleset into a script.

Regards,

jz

ps attach a file isn't working for me so here's the body:

sudo sysctl -w net.inet.ip.fw.enable=0

sudo sysctl -w net.inet.ip.forwarding=0

sudo ipfw flush

sudo ipfw delete set 31

sudo /sbin/ipfw disable firewall

sudo /sbin/ipfw enable firewall

sudo sysctl -w net.inet.ip.fw.enable=1

sudo ipfw add 01000 allow ip from any to any via lo*

sudo ipfw add 01300 allow ip from any to 127.0.0.0/8

sudo ipfw add 01200 allow ip from 192.168.1.0/24 to 192.168.1.254

sudo ipfw add 01400 check-state

sudo ipfw add 01600 allow ip from any 67 to any 68 in

sudo ipfw add 01800 allow ip from any 5353 to any in

sudo ipfw add 02000 allow ip from 192.168.1.0/24 to 108.59.8.147 keep-state

sudo ipfw add 05000 allow ip from 10.4.0.0/8 to any

sudo ipfw add 05100 allow ip from 10.5.0.0/8 to any

sudo ipfw add 05200 allow ip from 10.6.0.0/8 to any

sudo ipfw add 05300 allow ip from 10.7.0.0/8 to any

sudo ipfw add 05400 allow ip from 10.8.0.0/8 to any

sudo ipfw add 05500 allow ip from 10.9.0.0/8 to any

sudo ipfw add 65534 deny log ip from any to any

sudo ipfw add 65535 allow ip from any to any

line 1: turns off firewall, if system is rebooted, firewall is down.

line 2: turns off forwarding (NAT), if system is rebooted, NAT is disabled.

line 3: flushes existing ruleset

line 4: deletes system ruleset #31, if it is able to. If not it isn't a problem.

line 5: disables firewall in current session.

line 6: re-enables firewall in current session.

line 7: re-enables firewall to start on reboot, etc.

line 8: add rule to allow any protocol via lo (loopback address)

line 9: allow all protocols via loopback alias

line 10: allow access to local router

line 11: checks firewall rules state for problems

line 12: allow DHCP to and from router or DHCP server (wherever DHCP is coming from)

line 13: allow mdns - required for DNS lookups

line 14: allow any protocol from 192.168.x.x IP range to AirVPN server USA (un-named because Google searches these forum posts) add more lines like this one, with each server IP you want to connect to.

lines 15 - 16 : allow traffic out to the AirVPN ranges that are used - For port 443 ( see https://airvpn.org/specs/ for more on this)

lines 17 - 18 : allow traffic out to the AirVPN ranges that are used - For port 80 ( see https://airvpn.org/specs/ for more on this)

lines 19 - 20 : allow traffic out to the AirVPN ranges that are used - For port 53 ( see https://airvpn.org/specs/ for more on this)

line 21 : deny all traffic that makes it this far through the ruleset.

line 22 : ruleset #32 if deleting it earlier didn't work, rule 65534 nullifies anything that would normally make it this far, so nothing does.

RubeGoldberg-ipfwruleset.txt

[Staff 9972]

sudo ipfw add 05000 allow ip from 10.4.0.0/8 to any

sudo ipfw add 05100 allow ip from 10.5.0.0/8 to any

sudo ipfw add 05200 allow ip from 10.6.0.0/8 to any

sudo ipfw add 05300 allow ip from 10.7.0.0/8 to any

sudo ipfw add 05400 allow ip from 10.8.0.0/8 to any

sudo ipfw add 05500 allow ip from 10.9.0.0/8 to any

sudo ipfw add 65534 deny log ip from any to any

sudo ipfw add 65535 allow ip from any to any

Hello!

Just a glitch, the above must be 10.x.0.0/16, for example

sudo ipfw add 05100 allow ip from 10.5.0.0/16 to any

Kind regards

[jessez 3]

Hi admins,

Oops, my mistake, thanks very much for catching that!

jz.

No need to post this one in the forum...lol

[kinginter 0]

This thread is huge and mind boggling.

I have AirVPN,

Utorrent Version 1.8.1 (28758)

Mac OS X Lion 10.7.5 (11G63)

Is there a tutorial for adding these rules so traffic will be blocked if VPN drops?

Sorry if its already here…

Thanks