Jump to content
Not connected, Your IP: 44.200.101.170
Evenstar

Win - Mac - BSD Block traffic when VPN disconnects

Recommended Posts

Hello!

It works! It works!

You guys did a fantastic job. Excellent support! I’m a complete vpn-novice and now I even have a firewall. Thanks a lot.

As to the error message caused by the insertion of the rule “block out any” in the pf.conf file: Could is be due to a conflict with the standard setting of IceFloor which allows access to LAN?

The new rules in the pf.conf file are represented by IceFloor in the frontend “Manage PF rules” panel in this way:

anchor "com.apple/*"

block drop out inet from 192.168.0.0/16 to any

pass out quick inet from 192.168.0.0/16 to 62.212.85.65 flags S/SA keep state

pass out quick inet from 192.168.0.0/16 to 192.168.0.0/16 flags S/SA keep state

pass out quick inet from 127.0.0.1 to any flags S/SA keep state

pass out quick inet from 10.0.0.0/8 to any flags S/SA keep state

Again, thanks a lot.

Hello!

Thank you for your nice words. We're glad to know that you have managed to have a working and secure setup. If there was a conflict, the message should not have been "syntax error", but something different.

Anyway, "block out any"? The rule is "block out all".

Kind regards

Share this post


Link to post

Hi,

I have a Windows 7 laptop. I am using standard Windows Firewall.

I would like to know how to cut-off internet access (particularly for uTorrent and Opera internet browser) if the AirVpn connection is broken.

I am using airvpn using direct access (i.e., downloaded the air profile into openvpn folder and connected directly).

Thank you.

Share this post


Link to post

Hi,

I have a Windows 7 laptop. I am using standard Windows Firewall.

I would like to know how to cut-off internet access (particularly for uTorrent and Opera internet browser) if the AirVpn connection is broken.

I am using airvpn using direct access (i.e., downloaded the air profile into openvpn folder and connected directly).

Thank you.

Hello!

Please see https://airvpn.org/index.php?option=com_kunena&func=view&catid=3&id=1713&Itemid=142#1715 and subsequent messages on this very same thread.

Currently Comodo Firewall is the only software firewall for 64-bit Windows systems which passes important leak tests, so it is highly recommended not to trust any other software firewall.

Kind regards

Share this post


Link to post

Hello

Solution with Coodo is really straightforward.

Are you maye aware of any Linux (ubuntu) solution, which can be used as Comodo on Windows?

Default gufw can not be configured that way, I haven't been able to find a proper simple solution....

Thank you

Share this post


Link to post

Hello

Solution with Coodo is really straightforward.

Are you maye aware of any Linux (ubuntu) solution, which can be used as Comodo on Windows?

Default gufw can not be configured that way, I haven't been able to find a proper simple solution....

Thank you

EDITED ON 21 Aug 12

EDITED ON 24 Nov 12: added important note for some Linux users, see bottom of message

Hello!

You can use iptables, a very powerful packet filtering and NAT program (probably one of the most powerful, if not the most powerful of all). iptables is already included in all official Ubuntu distros and most Linux distros, anyway if you don't have it just install it with aptitude.

Adding the following simple rules will prevent leaks in case of [accidental] VPN disconnection. In this example, it is assumed that your network interface is eth+ (change it as appropriate; for example, you might have wlan0 for a WiFi connection).

a.b.c.d is the entry-IP address of the Air server you connect to. You can find out the address simply looking at the line "remote" of your air.ovpn configuration file. In case of doubts, just ask us. Some of the following rules might be redundant if you have already chains.

Assumptions: you are in a 192.168.0.0/16 network and your router is a DHCP server. You have a a physical network interface named eth*. The tun adapter is tun* and the loopback interface is lo.

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT #allow loopback access
iptables -A OUTPUT -d 255.255.255.255 -j  ACCEPT #make sure you can communicate with any DHCP server
iptables -A INPUT -s 255.255.255.255 -j ACCEPT #make sure you can communicate with any DHCP server
iptables -A INPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT #make sure that you can communicate within your own network
iptables -A OUTPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT
iptables -A FORWARD -i eth+ -o tun+ -j ACCEPT 
iptables -A FORWARD -i tun+ -o eth+ -j ACCEPT # make sure that eth+ and tun+ can communicate
iptables -t nat -A POSTROUTING -o tun+ -j MASQUERADE # in the POSTROUTING chain of the NAT table, map the tun+ interface outgoing packet IP address, cease examining rules and let the header be modified, so that we don't have to worry about ports or any other issue - please check this rule with care if you have already a NAT table in your chain
iptables -A OUTPUT -o eth+ ! -d a.b.c.d -j DROP  # if destination for outgoing packet on eth+ is NOT a.b.c.d, drop the packet, so that nothing leaks if VPN disconnects

When you add the above rules, take care about pre-existing rules, if you have already some tables, and always perform a test to verify that the subsequent behavior is what you expect: when you disconnect from the VPN, all outgoing traffic should be blocked, except for a reconnection to an Air server.

In order to block specific programs only, some more sophisticated usage of iptables is needed, and you will also need to know which ports those programs use. See "man iptables" for all the features and how to make the above rules persistent or not according to your needs.

Warning: the following applies ONLY for Linux users who don't have resolvconf installed and don't use up & down OpenVPN client scripts

In this case, your system has no way to process the DNS push from our servers. Therefore your system will just tunnel the DNS queries with destination the DNS IP address specified in the "nameserver" lines of the /etc/resolv.conf file. But if your first nameserver is your router IP, the queries will be sent to your router which in turn will send them out unencrypted. Solution is straightforward: edit the /etc/resolv.conf file and add the following line at the top (just an example, of course you can use any of your favorite DNS, as long as it is NOT your router):

nameserver 10.4.0.1 # in order to use AirVPN DNS
nameserver 8.8.8.8 # in order to use Google DNS only if AirVPN DNS is unavailable

Kind regards

Share this post


Link to post

Is there any way to disable a rule in Comodo? I like being able to block on VPN drop, but sometimes I'd like to access sites using my ISP. I can't find a way, other than deleting and recreating the rule each time...which is a pain. I currently created an application rule for Firefox and tested that it works (It does). I wonder if there is a way to create 2 Global rules, and then move one abve the other when needed...does Comodo work like a traditional firewall where the allow rule above the deny rule is respected?

Thanks,

JD

Edit: I gues I could close the VPN and uncheck the Exclude box as a work around, correct?

Share this post


Link to post

Is there any way to disable a rule in Comodo? I like being able to block on VPN drop, but sometimes I'd like to access sites using my ISP. I can't find a way, other than deleting and recreating the rule each time...which is a pain. I currently created an application rule for Firefox and tested that it works (It does). I wonder if there is a way to create 2 Global rules, and then move one abve the other when needed...does Comodo work like a traditional firewall where the allow rule above the deny rule is respected?

Thanks,

JD

Edit: I gues I could close the VPN and uncheck the Exclude box as a work around, correct?

Hello!

The "Exclude" tick might or might not work properly (it works as a NOT operator), it depends on your configuration.

Probably the most straightforward way is switching from your "Custom Policy" (when connected to the VPN) to "Safe Mode" (when you want connectivity without the VPN), because to do that you just need to right-click on the Comodo dock icon.

Kind regards

Share this post


Link to post

Thanks. The Exclude switch works. When unchecked, it will block the VPN and allow anything else. Since the VPN is shut down, it doesn't matter. Pretty decent work around.

JD

Share this post


Link to post

a.b.c.d is the entry-IP address of the Air server you connect to. You can find out the address simply looking at the line "remote" of your air.ovpn configuration file. Some of the following rules might be redundant if you have already chains.

<code>iptables -I FORWARD -i eth+ -o tun+ -j ACCEPT

iptables -I FORWARD -i tun+ -o eth+ -j ACCEPT # make sure that eth+ and tun+ can "communicate"

iptables -I INPUT -i tun+ -j REJECT

iptables -t nat -A POSTROUTING -o tun+ -j MASQUERADE # in the POSTROUTING chain of the NAT table, map the tun+ interface outgoing packet IP address, cease examining rules and let the header be modified, so that we don't have to worry about ports or any other issue - please check this rule with care if you have already a NAT table in your chain

iptables -I OUTPUT -o eth+ ! --dst a.b.c.d -j DROP # if destination for outgoing packet on eth+ is NOT a.b.c.d, drop the packet, so that nothing leaks if VPN disconnects

# the above line can be duplicated for as many Air servers as you wish to connect to, just insert the appropriate Air server entry-IP

</code>

Kind regards

hi

i've tried this approach, but it didn't work with me, it seems it blocked all traffic. it was a good start, i did some research, it seems tun interface is the one communicating with the VPN server, so I did this:

iptables -A OUTPUT -o tun0 -j ACCEPT
iptables -A OUTPUT -d a.b.c.d -j ACCEPT
iptables -A OUTPUT -j DROP

didn't check completely, but it seems to be working

Share this post


Link to post

Thanks to the airvpn techs and Orfeo for the work with the pf firewall. What a nightmare I've had trying to get it working right! I don't want the Apple anchor and do want dns through privacyfoundation.de, so this is my working pf.conf for anyone else to use. It has all the Gb servers except the one in the UK. Also with pf.conf on the mac, the last line needs to have a return, so when the cursor is on the last line, you should be able to use the right or down arrows and the cursor drop one line down only. Anymore than that backspace it out.
Using this in terminal will show exactly what the rules are that will load and point out any errors:

sudo pfctl -vvv -f /etc/pf.conf

for some reason you still have to do: sudo pfctl -e
to start the firewall.

Best regards to all,
jz


# pf.conf
# Drop everything that doesn't match a rule
block drop out inet from 192.168.0.0/16 to any
# Swiss DNS
pass out quick inet from 192.168.0.0/16 to 87.118.104.203 flags S/SA keep state
pass out quick inet from 192.168.0.0/16 to 87.118.109.2 flags S/SA keep state
# Airvpn; Tauri, Castor, Draconis, Sirius, Vega
pass out quick inet from 192.168.0.0/16 to 46.165.208.65 flags S/SA keep state
pass out quick inet from 192.168.0.0/16 to 95.211.169.3 flags S/SA keep state
pass out quick inet from 192.168.0.0/16 to 178.248.29.132 flags S/SA keep state
pass out quick inet from 192.168.0.0/16 to 108.59.8.147 flags S/SA keep state
pass out quick inet from 192.168.0.0/16 to 69.163.36.66 flags S/SA keep state
# Local network
pass out quick inet from 192.168.0.0/16 to 192.168.0.0/16 flags S/SA keep state
# Allow all on lo0
pass out quick inet from 127.0.0.1 to any flags S/SA keep state
# Everything tunneled
pass out quick inet from 10.0.0.0/8 to any flags S/SA keep state

Modified by jz
Here is modifications to pf.conf:
https://airvpn.org/index.php?option=com_kunena&func=view&catid=3&id=2935&Itemid=142#2935

Share this post


Link to post

Hi,

There aren't any rules in this article for ipfw ( WaterRoof being a front-end for ipfw ). The ones above ( and the others that mention pf ) are for the pf firewall; only available in Mac Lion, BSD, and some other UNIX variants. iptables is only used in Linux anymore as far as I know.

What operating system are you using?

If necessary I could set up some rules for ipfw if slackerofthemind and/or galilao are willing to test them.

Best

jz

Share this post


Link to post

Sure, I'd be more than happy to test out the Waterroof rules, thanks!

Having not used Waterroof before I'm simply finding it a pain to mimic similar rules above, and I don't have the time to dig deep into this at the moment.

Waterroof wasn't accepting IP addresses in the value(s) fields so I simply gave up on it --- it was giving me error messages when inputing AirVPN X.X.XX.XX IPs as allowable addresses. Couldn't figure out why.

Ideally I'd like to haev *all AirVPN* IP addresses on UDP/TCP included so that whatever I connect to is cleared.

I've also looked into using Little Snitch but though you can easily block All Application traffic there is no easy way of allowing traffic to a set of IP ranges to All Applications.

Happy to test & refine but what I really need is an example of a Waterroof ruleset.

Share this post


Link to post

Hi,

slackerofthemind: I've never seen a problem with WaterRoof like that (You may end up having to uninstall it and reinstall, but we'll see what happens when you import rules). What version of MacOS are you running? No problem to add all the servers, there's a list on here somewhere that has them all, so I'll find that for reference.

Little Snitch doesn't have the capability of doing this kind of firewalling, I use it myself to limit apps that have network access, but that's about all it's good for other than monitoring what apps are trying to make outgoing connections.

galilao: ok, you have to use the ipfw as Leopard-10.5.x (and SnowLeopard-10.6.x - if you upgrade at any time) only has that capability for firewalling.

Ok, I'll put some rules together and post the file for import into WaterRoof. It may take me a day or two (so you have a time-frame).

Regards to you both,

jz

Share this post


Link to post

This is only for MacOSX/UNIX using the IPFW firewall. It not for Windows or Linux!

Ok for the Mac users;

I set up some ipfw rules and will post 4 files. I ran the shell script and tested it sucessfully, therefore manually adding everything at the command line should work.

What I didn't test was the import into WaterRoof, and also some more testing could be done to make sure nothing gets out except through AirVPN.

I tested browser, email client and VOIP client successfully ( odd to say this, but... ) not connecting to anything …lol

Let me know about any errors, ommisions, changes or additions so I can fix them, Thanks!

1st file ) I would recommend saving: AirVPN-tutorial.txt. If you don't and then can't get internet access to do troubleshooting, well, you were advised to save it

2nd file ) AirVPN-script.sh which will setup everything automatically for you.

For anyone that doesn't know how to run a shell script: open a terminal and cd to the place you saved the AirVPN-script.sh file.

ie: cd /home/<your-username-here>/Downloads

Then copy and paste this at the terminal prompt: sh ./AirVPN-script.sh

Type y when prompted.

Check the rules and that ipfw is running: ipfw -a list

This command will also show you which rules are passing and blocking packets, which is useful for troubleshooting, and confirming every packet is going through AirVPN

3rd file ) AirVPN-Commandline&Documentation.txt

This is just the rules and some documentation to let the reader know what each item is doing. Anyone that uses the airvpn-script can check what it does by reading this file.

The rules can be copy pasted to the terminal if you like doing everything manually and/or selecting which airvpn servers you want to allow connections to.

4th file ) airvpn-ipfw-ruleset ( if it ends up with .txt as an extension delete the .txt - this file has no extension for import in WaterRoof )

This is the ruleset that should be import-able into WaterRoof and possibly other ipfw front-end software like NoobProof and maybe DoorStop.

A word of caution here: if you are using a frontend to ipfw, make sure all it's default rules are flushed first. I think ones like WaterRoof, NoobProof and DoorStop have default rules setup that will nullify any benefit of using the ruleset provided here.

If you are unable to flush rule number 65535 or it returns after flushing, don't worry; rule 65534 denies everything that gets that far through the firewall rules.

If you are watching the log, you will see all the denials in rules numbered 65000 to 65634

README:

Lastly, I have done this for the benefit of AirVPN users. Therefore I accept no liability for anything whatsoever, whether I put it in the rules or instructions, or you as the user change anything.

I have done my best to block anything from going in or out of your internet connection unless you are connected to AirVPN, so make sure you are connected before wondering why your browser, email, VOIP, or whatever else isn't connecting.

TROUBLESHOOTING:

If you cannot connect to AirVPN after running the script, adding anything manually, or importing the ruleset into WaterRoof, run the following at the command prompt:

sudo ipfw flush

That will flush the rules and give you direct access to the internet through your isp so you can get support for whatever the problem is.

If that doesn't work;

sudo ipfw disable firewall

sudo ipfw flush

sudo ipfw enable firewall

Source: man ipfw ;

If the world and the kernel get out of sync the ipfw ABI may break, preventing you from being able to add any rules. This can adversely effect the booting process. You can use: sudo ipfw disable firewall to temporarily disable the firewall to regain access to the network, allowing you to fix the problem

Or for worst case scenario:

sudo sysctl -w net.inet.ip.fw.enable=0

which will stop the firewall from loading at boot, so paste sudo sysctl -w net.inet.ip.fw.enable=0 in the terminal, hit enter, reboot the mac, and you'll be clean with no ipfw firewalling when it restarts.

AirVPN-tutorial.txt

Share this post


Link to post

OK, sorry I had to change the extension of AirVPN-script.sh and airvpn-ipfw-ruleset to comply with the forum attachment rules, so just take the .txt off of each of those to make them usable.

AirVPN-script.sh.txt

Share this post


Link to post

Hello, I found the AirVPN-tutorial file. I was searching on the Home page, then realized it was an attachment. Thank you

Share this post


Link to post

Hi,

Any idea how to do these setting on Vipre Firwall. I an't seem to get it working.

Gopal

Share this post


Link to post

Hi all,

galileo, you're welcome. Let me know how the testing goes.

gopal; I'm sorry I'm not familiar with the Vipre software and can't really help you with that. If it allows manually adding and deleting rules, there should be some way to do it though. Perhaps the admins or someone familiar with that software can help.

Best regards,

jz

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...