Jump to content
Not connected, Your IP: 18.216.145.37
JJNF_83585

Blocking all non-VPN traffic (Windows)

Recommended Posts

For now, I have changed the rule to "block (no log)" as Jinsong suggested, since I read the following on some blog:

"ICMP Time-To-Live Exceeded in Transit (Type 11 Code 0) is blocked to eliminate the possibility of using traceroutes and Inverse Mapping techniques against a network. However, an advanced host detection method exists whereby only a few fragments of a fragmented datagram a sent (not all of the fragments), i.e., the fragmnted datagram is incomplete. This forces the targeted host to issue an ICMP type 11 code 1 error message back to the offending packet’s source IP address and thereby illuminating the existance of the host to a malicious attacker."

Share this post


Link to post

Most of this stuff is beyond the scope of my knowledge, unfortunately, but I'd add this further food for thought:

It seems like those ICMP requests are being sent directly from your machine *to* Castor... which seems kind of pointless when you think about it, since Castor is a VPN server (not a peer) so it's not going to know how to respond to those requests anyway. Furthermore, if those packets are being sent from your 192.168.x.x network directly to the VPN server itself, then technically that means they're leaking outside of the encrypted tunnel... which is exactly what you DON'T want to have happen. I'd refuse to allow ANYTHING to communicate with the "outside world" unless the source is definitively in the 10.x.x.x network zone. So, I'll reiterate what I said above and just say block it, period. Better to be safe than sorry.

Share this post


Link to post

Just a last thought: Since it's a torrenting application where this happens, could the ICMP "Fragment Reassembly Time Exceeded" events not stem from the fact that the torrent client receives data "fragments" of some sort? And maybe some cannot be assembled in time?

No idea if this is even logical or completely misses the point, it's just a thought I had...

(In any case, I have blocked these ICMP events now).

Share this post


Link to post

"if those packets are being sent from your 192.168.x.x network directly to the VPN server itself, then technically that means they're leaking outside of the encrypted tunnel... which is exactly what you DON'T want to have happen. I'd refuse to allow ANYTHING to communicate with the "outside world" unless the source is definitively in the 10.x.x.x network zone."

My question:

But the Global Rules Method

https://airvpn.org/index.php?option=com_kunena&func=view&catid=3&id=3405&Itemid=142

*already* allows communication directly to Castor outside of the tunnel in "Rule 10":

Allow TCP or UDP In/Out From IP 95.211.169.3 To MAC Any Where Source Port Is Any And Destination Port Is Any

Allow TCP or UDP In/Out From MAC Any To IP 95.211.169.3 Where Source Port Is Any And Destination Port Is Any

(The only difference in my case was, that I also got ICMP communication, not just TCP or UDP. But the rule itself already allows traffic outside of the tunnel.)

So, is this ICMP traffic to the VPN server somehow more harmful than then TCP/UDP traffic to the VPN server? Hmmm...

I guess it all boils down to the question what these ICMP 1.1 events are really for.

Share this post


Link to post

But the Global Rules Method

airvpn.org/index.php?option=com_kunena&a...=3405&Itemid=142

*already* allows communication directly to Castor outside of the tunnel in "Rule 10":

Allow TCP or UDP In/Out From IP 95.211.169.3 To MAC Any Where Source Port Is Any And Destination Port Is Any

Allow TCP or UDP In/Out From MAC Any To IP 95.211.169.3 Where Source Port Is Any And Destination Port Is Any

Yes, but under normal circumstances, the ONLY application that communicates directly with the VPN server itself is openvpn.exe. No other application should be attempting to "talk" to Castor directly, regardless of the protocol.

You can confirm this by looking at your firewall's active connections. You should only see ONE direct connection taking place between your real network adapter (192.168.x.x) and the IP address of the VPN server (Castor). All other active connections (web browser, torrent client, etc.) should show ONLY the internal IP address assigned by the VPN (10.x.x.x) as its source IP address. Nothing else should be communicating on 192.168.x.x to the outside world besides openvpn.exe; no exceptions.

Share this post


Link to post

I see! Thanks a lot for the info!

(My active connections are exactly as you described. ONLY openvpn.exe comes

from source 192.168.x.x, all others come from source 10.x.x.x).

Yes, so it would indeed be weird if some ICMP connection went directly to the

VPN server outside of the tunnel. (Thanks for suggesting to block it.)

I wonder what could cause mutorrent to send out ICMP info to the VPN server?

But maybe it's not really mutorrent (even though it's triggered by running mutorrent)

since the Application who sends them is strictly speaking "Windows Operating System". Maybe the System just sends these ICMP packages out to all "outlets" possible (even to the VPN server), regardless if the recipient has any use for them or not.

Share this post


Link to post

"

Allow TCP or UDP In/Out From MAC Any To IP 95.211.169.3 Where Source Port Is Any And Destination Port Is Any

Hello!

If you always connect to the same port with the same protocol, you can make this rule stricter. For example, if you always connecto to 443 UDP:

Allow UDP In/Out From MAC Any To IP 95.211.169.3 Where Source Port Is Any And Destination Port Is 443

Or you can define a set of ports (53, 80, 443) and set "Destination Port" in that set ("Network Security Policy"->"Port Sets"->"Add a new port sets").

If you are annoyed by too much logging, just disable the logging for the block rule (untick the "Log when this rule is fired") and re-enable it only when you need it.

Kind regards

Share this post


Link to post

For some tests, I would like to disable Codomo temporarily. Is it possible to exit Comodo Firewall (but not uninstalling it), so that it will *not* come on again at startup when the computer is rebooted? Is there a setting in Comodo itself that would allow this?

Share this post


Link to post

"For some tests, I would like to disable Codomo temporarily. Is it possible to exit Comodo Firewall (but not uninstalling it), so that it will *not* come on again at startup when the computer is rebooted? Is there a setting in Comodo itself that would allow this?"

Never mind, I'll just disable the startup in msconfig.

Share this post


Link to post

For some tests, I would like to disable Codomo temporarily. Is it possible to exit Comodo Firewall (but not uninstalling it), so that it will *not* come on again at startup when the computer is rebooted? Is there a setting in Comodo itself that would allow this?

Hello!

You can set the Firewall Security Level to "Disabled". This will make every and each firewall rule inactive, even without rebooting, but will not prevent Comodo to startup. Your solution in the other message, on the contrary, will prevent Comodo completely to start at the subsequent reboot.

Kind regards

Share this post


Link to post

1) When I use mutorrent, I do get the green network icon ("Network ok. Your network connection is working as it should"), even though I have NOT enabled port forwarding on the AirVPN website. Is this normal? Why do I get the green icon? (in any case, mutorrent seems to work fine and fast.)

2) In mutorrent preferences for "Connection", there is a checkmark at "enable UPnP port mapping", and another checkmark at "enable NAT-PMP port mapping". Should I remove the checkmarks (they were there by default)?

(Note: Here is what the mutorrent help says about this:

Enable UPnP port mapping allows µTorrent to communicate with the router to forward a port without your manual intervention. Some devices do not support Universal Plug and Play (UPnP), so you might still have to forward your ports manually. Disable UPnP if that is the case.

Enable NAT-PMP port mapping allows µTorrent to attempt to forward a port with routers that support the NAT port mapping protocol (Apple products, for example).)

3) In addition to the standard 14-point Global Rules Method outlined by admin, I have added one more Allow Rule which allows all traffic from my real wireless adapter to the "host group" address range "Allow IP In/Out From In [Home Network] to In [Host group addresses] where protocol is Any". Here, Home Network = 192.168.0.0 - 192.168.255.255 and Host Group Addresses = 224.0.0.0 - 239.255.255.255. I did this, because these addresses are (as far as I know) not part of the outside internet, and it allows UPnP and SharePort to continue functioning on my local network. If this rule is dangerously broad, please alert me to this!

I noticed that this allow-rule causes mutorrent at launchtime to connect (successfully) from my *real* IP to 239.255.255.250, which I think is a UPnP communication with the router. It should be safe since 239.255.255.250 is part of the host group addresses, but why does mutorrent do this? Does it have to do with the UPnP port mapping (see question 2 above)? Can this reveal my real IP to the outside somehow, because the connection comes from mutorrent?

Thanks for helping me understand these points!

Share this post


Link to post

1) When I use mutorrent, I do get the green network icon ("Network ok. Your network connection is working as it should"), even though I have NOT enabled port forwarding on the AirVPN website. Is this normal? Why do I get the green icon? (in any case, mutorrent seems to work fine and fast.)

Hello!

This is not normal. Can you please check that the matching router ports are not forwarded?

2) In mutorrent preferences for "Connection", there is a checkmark at "enable UPnP port mapping", and another checkmark at "enable NAT-PMP port mapping". Should I remove the checkmarks (they were there by default)?

You should un-check them: you wish that uTorrent listens to the port you tell it to listen to.

3) In addition to the standard 14-point Global Rules Method outlined by admin, I have added one more Allow Rule which allows all traffic from my real wireless adapter to the "host group" address range "Allow IP In/Out From In [Home Network] to In [Host group addresses] where protocol is Any". Here, Home Network = 192.168.0.0 - 192.168.255.255 and Host Group Addresses = 224.0.0.0 - 239.255.255.255. I did this, because these addresses are (as far as I know) not part of the outside internet, and it allows UPnP and SharePort to continue functioning on my local network. If this rule is dangerously broad, please alert me to this!

It's just fine, you can leave that rule, it does not compromise your anonymity layer.

Kind regards

Share this post


Link to post

Thanks a lot for the reply!

I just checked my router, and there are no ports forwarded by the router. So it seems really strange that I get the green network symbol in mutorrent. (I think I remember that many years ago, I really *needed* to do router port forwarding to get this green symbol, but starting from a certain version# of mutorrent, this was not necessary anymore.) Any ideas?

One more info: when I checked my mutorrent connections last time, normally all are UDP Out from source IP 10.x.x.x to lots of different IPs on the internet. And quite some data is transferred. But sometimes, there also was exactly ONE UDP In connection from somewhere on the internet to 10.x.x.x, and it was on the port that was preselected in mutorrent as the listening port. (random listening port number, selected by mutorrent per default). On that single UDP In connection, there was quite a lot of transferred data, too.

But I definitely did not set any forwarded ports on the AirVPN website, nor on my router.

So it is very strange that I get the green network symbol in mutorrent. (For the last couple years, I did NOT have to set forwarded ports on my router to get the green symbol in mutorrent -- it just worked. But why?)

Share this post


Link to post

UPDATE on my last post: I thought that maybe the default checkmark in mutorrent's Preferences at "enable UPnP port mapping" and at "enable NAT-PMP port mapping" caused the green "network ok" symbol to come on even while AirVPN is running. The mutorrent help about this says:

"Enable UPnP port mapping allows µTorrent to communicate with the router to forward a port without your manual intervention. Some devices do not support Universal Plug and Play (UPnP), so you might still have to forward your ports manually. Disable UPnP if that is the case.

Enable NAT-PMP port mapping allows µTorrent to attempt to forward a port with routers that support the NAT port mapping protocol (Apple products, for example)."

This kind of sounds like the enabled UPnP port mapping might forward the port automatically on the router if the checkmark is checked. Even if I did not specify any forwarded ports on the router myself.

So I removed both checkmarks, rebooted the computer, started AirVPN and mutorrent, and amazingly the green "network ok" symbol STILL APPEARS AS BEFORE, and mutorrent is just as fast and working well as ever.

I really don't understand it! Why do I get this green symbol?

(I'm definitely not doing any port forwarding on the AirVPN site nor on my router.)

I mean, I am not complaining, because everything runs fine in mutorrent. It's just that I think this behavior is unusual, and I don't want to have some kind of unexpected security gap in mutorrent.

Share this post


Link to post

I mean, I am not complaining, because everything runs fine in mutorrent. It's just that I think this behavior is unusual, and I don't want to have some kind of unexpected security gap in mutorrent.

Hello!

This is strange indeed. We need to investigate further as soon as possible. We need to know the listening port for your uTorrent and the server(s) you use. In order to preserve your privacy, please give us these data privately through the "Contact us" form, or write directly to info@airvpn.org. Please enclose the link to this thread to speed up the investigation.

Kind regards

Share this post


Link to post

Thanks, admin, for the reply. I have given you the requested information using the "Contact Us" form and referenced to this thread. I hope this will help to find out what mutorrent is doing here.

For my part, I'm a happy camper since everything works smoothly and mutorrent is fast and works fine (with the green "network ok" symbol displayed). But it would still be good to know if there is maybe some unexpected security risk, since it seems the green symbol should actually not be displayed if no ports are being forwarded.

To summarize: when running mutorrent, I usually have quite a lot of UDP Out connections from 10.x.x.x to all kinds of outside IPs, and typically can see also a few UPD In connections coming from outside to 10.x.x.x:(listening port of mutorrent). So it looks as if my listening port is forwarded somehow by mutorrent, even I did not enable port forwarding on my router (at least not on the Advanced -> Port Forwarding settings which afaik is the only place where to specify this in the router) nor on the AirVPN website.

P.S.: Since my system is not special in any way, I would think that there must be other customers here who use mutorrent and get the green "network ok" symbol even without specifying any port forwarding? Is there anyone else out there who sees this behavior in mutorrent?

Share this post


Link to post

Thanks, admin, for the reply. I have given you the requested information using the "Contact Us" form and referenced to this thread. I hope this will help to find out what mutorrent is doing here.

For my part, I'm a happy camper since everything works smoothly and mutorrent is fast and works fine (with the green "network ok" symbol displayed). But it would still be good to know if there is maybe some unexpected security risk, since it seems the green symbol should actually not be displayed if no ports are being forwarded.

To summarize: when running mutorrent, I usually have quite a lot of UDP Out connections from 10.x.x.x to all kinds of outside IPs, and typically can see also a few UPD In connections coming from outside to 10.x.x.x:(listening port of mutorrent). So it looks as if my listening port is forwarded somehow by mutorrent, even I did not enable port forwarding on my router (at least not on the Advanced -> Port Forwarding settings which afaik is the only place where to specify this in the router) nor on the AirVPN website.

P.S.: Since my system is not special in any way, I would think that there must be other customers here who use mutorrent and get the green "network ok" symbol even without specifying any port forwarding? Is there anyone else out there who sees this behavior in mutorrent?

Hello!

uTorrent is capable to perform the correct UDP Hole Punching through our VPN servers NAT. Skype is considered to be able to do that too.

This is possible because Air implemented NAT is p2p friendly, a "cone NAT" (see RFC 3489) . It "focuses" all sessions originating from a single private endpoint through the same public endpoint on the NAT. (Ford, MIT, "Peer-to-Peer Communication Across Network Address Translators", 2005).

[...] hole punching does not compromise the security of a private network. Instead, hole punching enables applications to function within the default security policy of most NATs, effectively signaling to NATs on the path that peer-to-peer communication sessions are “solicited” and thus should be accepted. This paper documents hole punching for both UDP and TCP, and details the crucial aspects of both application and NAT behavior that make hole punching work.

(Ford)

For (a lot of) additional information please see http://www.brynosaurus.com/pub/net/p2pnat , in particular paragraphs 3.2, 3.4 and 5.1.

Kind regards

Share this post


Link to post

Maybe I should ask my question here, since it seems the right thread for it (I had asked it in the DNS Leak thread before, where it is off-topic):

I'm using the Global Rules Method in Comodo, but also added the following allow-rule:

Allow IP In/Out From IP 0.0.0.0 To In [Host Group Addresses] Where Protocol Is Any

Is this rule safe?

(The reason for the rule is that whenever my PC cannot connect to any TCP/IP network (f.ex., during reconnection attempts), it seems to take the dummy IP 0.0.0.0 for a short time, and sometimes then attempts with this "IP" to connect to some IP(s) in the host group address range ( [224.0.0.0 to 239.255.255.255] which afaik is not part of the outside internet). These attempts get blocked by the Comodo "block-all-rule" but fill up my Firewall Event log, so I would like to allow them if they are not harmful.)

Thanks for any info.

Share this post


Link to post

Maybe I should ask my question here, since it seems the right thread for it (I had asked it in the DNS Leak thread before, where it is off-topic):

I'm using the Global Rules Method in Comodo, but also added the following allow-rule:

Allow IP In/Out From IP 0.0.0.0 To In [Host Group Addresses] Where Protocol Is Any

Is this rule safe?

Hello!

Yes, it's safe. See also:

http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xml

Kind regards

Share this post


Link to post

one of these days I'll figure out the Comodo firewall part of using AirVpn but just can't buy it until I figure out the complicated process. I appreciate the staff basically guiding those of us that don't understand but it's still not understood by those not as computer literate.

If a "dummy guide" were done with "step 1, step 2" and so forth, with pics, then I'd know. Sorry for my ignorance but I know I'm not alone.

Share this post


Link to post

one of these days I'll figure out the Comodo firewall part of using AirVpn but just can't buy it until I figure out the complicated process. I appreciate the staff basically guiding those of us that don't understand but it's still not understood by those not as computer literate.

If a "dummy guide" were done with "step 1, step 2" and so forth, with pics, then I'd know. Sorry for my ignorance but I know I'm not alone.

Hello!

Did you look at the guides linked in step 1? They have screenshots and a step-by-step tutorial on how to define Network Zones and Global Rules.

Kind regards

Share this post


Link to post

Step 1? Sorry but I must have missed that. Is there a link you can post or do I have to go through a buy process? Thanks again and this will really help. Just need to find the link for step 1.

Share this post


Link to post

Step 1? Sorry but I must have missed that. Is there a link you can post or do I have to go through a buy process? Thanks again and this will really help. Just need to find the link for step 1.

Hello!

No problems, you can find the links in step 1 in the guide (which is permanently linked in forum announcements and accessible to anyone):

https://airvpn.org/index.php?option=com_kunena&func=view&catid=3&id=3405&Itemid=142

Kind regards

Share this post


Link to post

Thanks for all your help, much appreciated. I believe I'd rather just set up my rule(s) for allowing / blocking Utorrent in WINDOWS FIREWALL. I know your tutorial is with Comodo but any suggestions on how I do that? I know about advanced settings in windows firewall but never did that. Any tutorial on that would be great. Many thanks.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...