Jump to content
Not connected, Your IP: 13.58.203.255
Sign in to follow this  
jessez

Block Traffic - VPN disconnect MacLion pf Only

Recommended Posts

Hi,

I decided to make this a new post since it only refers to the pf firewall in MacOSX Lion and BSD Unix.

This post refers to page 7 in this post: https://airvpn.org/index.php?option=com_kunena&func=view&catid=3&id=1713&limit=6&limitstart=36&Itemid=142

I have modified pf.conf to speed up rule parsing and also took out the section for Swiss/German DNS (privacyfoundation) so there would never be DNS unless it is tunnelled.

This pf.conf file also just lists the gigabyte servers, the others can be added easily (or removed) by modifying the line: table <vpn> const { 46.165.208.65 95.211.169.3 178.248.29.132 108.59.8.147 69.163.36.66 } , adding or deleting the server IP's for the ones desired.

NOTE: This file reflects that my network is accessed through wireless (en1), therefore access with wired ethernet the en1 should be changed to en0 (Lines 17, 20, 21, 25, 36, 37, and 38).

In terminal: ifconfig will show your interface names if you are using something different, such as a USB adapter.

Also if you are adding the 100Mb servers change line 53 to: pass out quick inet from 10.0.0.0/8 to any flags S/SA keep state

NOTE: This file also relects that the network I use is a 192.168.1.x network, and don't want traffic from any other computers on my network, so if you have a different network address (DHCP or static) , change the line 37 in the file.

For example, I believe that D-Link routers use 192.168.0.x, so the change would be: block drop in quick on en1 from any to 192.168.0.255

If you want local network traffic, then comment out lines 36,37,38.

I think that should be all the mods reqired in the file.

useful information from the tables can be obtained with the following command:

sudo pfctl -vvsTables

BTW, make a backup of your pf.conf : sudo cp /etc/pf.conf /etc/pf.conf.bak

Regards,

jz

pf.conf.txt

Share this post


Link to post

Hi, I'm pretty new to all this firewall, command line stuff, but I was wondering if it's possible to only block P2P traffic when AirVPN is not connected but still allow all other traffic. Thanks.

Share this post


Link to post

Hi, I'm pretty new to all this firewall, command line stuff, but I was wondering if it's possible to only block P2P traffic when AirVPN is not connected but still allow all other traffic. Thanks.

Hello!

A general solution is layer 7 filtering on your physical interface (so that p2p will be blocked only when you are not connected to the VPN). pf is perfectly capable to do that, but it's not an easy solution. Since you want to block "yourself", you don't have to bother about all the possible cases. You can just block all and every port used by your p2p client (either with a "whitelist" or a "blacklist") on your physical network interface, so the p2p client will be able to send and receive packets only through tunx.

Kind regards

Share this post


Link to post

I can't seem to get the Jessez's instructions to work. My limited experience and some troubleshooting doesn't seem to be enough. I've used the .conf file attached above, just a straight copy/paste. My machine's local ip is 10.0.1.11 (apple time capsule range), so I swapped out for the 198's in the file. Loading pf.conf and enabling doesn't seem to make a difference with non-vpn traffic, so clearly I'm doing something wrong. It's a 10.8.2 mountain lion system.

Here's the rules as loaded:

sudo pfctl -sr

No ALTQ support in kernel

ALTQ related functions disabled

scrub in on en1 all fragment reassemble

block drop in on en1 inet from <__automatic_a99aaaf2_0> to any

block drop in on ! en1 inet from 10.0.1.0/24 to any

block drop in inet from 10.0.1.11 to any

block drop out on en1 inet from any to <__automatic_a99aaaf2_1>

pass out quick inet from 10.0.0.0/16 to <vpn> flags S/SA keep state

block drop in quick inet from <broadcast> to any

block drop out log inet from 10.0.0.0/16 to any

pass out quick inet from 127.0.0.1 to any flags S/SA keep state

pass quick inet proto tcp from any port 20:21 to any port 49152:65535 flags S/SA keep state

pass out quick inet from 10.0.0.0/8 to any flags S/SA keep state

Just to test myself I built a block-all conf and loaded it - worked, zero traffic in/out. So the fundamentals are there.

Thoughts?

Share this post


Link to post

I can't seem to get the Jessez's instructions to work. My limited experience and some troubleshooting doesn't seem to be enough. I've used the .conf file attached above, just a straight copy/paste. My machine's local ip is 10.0.1.11 (apple time capsule range), so I swapped out for the 198's in the file. Loading pf.conf and enabling doesn't seem to make a difference with non-vpn traffic, so clearly I'm doing something wrong. It's a 10.8.2 mountain lion system.

Here's the rules as loaded:

pass out quick inet from 10.0.0.0/8 to any flags S/SA keep state

Hello!

At least the quoted rule is wrong. Since your home network is in 10.0.1.0/24, you can't even simplify the allow rule with 10.0.0.0/8, because it would overlap authorizations for different networks (your home network and the Virtual Private Network). jessez did not foresee this particular case.

The quickest solution is setting 6 different pass out rules to replace the above quoted rule:

pass out quick inet from 10.4.0.0/16 to any flags S/SA keep state
pass out quick inet from 10.5.0.0/16 to any flags S/SA keep state
pass out quick inet from 10.6.0.0/16 to any flags S/SA keep state
pass out quick inet from 10.7.0.0/16 to any flags S/SA keep state
pass out quick inet from 10.8.0.0/16 to any flags S/SA keep state
pass out quick inet from 10.9.0.0/16 to any flags S/SA keep state

To understand why please see here:

https://airvpn.org/specs

Kind regards

Share this post


Link to post

Yup. Brilliant. Quick fix, tests successful. For anyone else who runs into the problem, the fix is to swap the last line in jessez's pf.conf:

# Everything tunneled
pass out quick inet from 10.5.0.0/8 to any flags S/SA keep state

With

# Everything tunneled
pass out quick inet from 10.4.0.0/16 to any flags S/SA keep state
pass out quick inet from 10.5.0.0/16 to any flags S/SA keep state
pass out quick inet from 10.6.0.0/16 to any flags S/SA keep state
pass out quick inet from 10.7.0.0/16 to any flags S/SA keep state
pass out quick inet from 10.8.0.0/16 to any flags S/SA keep state
pass out quick inet from 10.9.0.0/16 to any flags S/SA keep state

Thanks to both Admin and Jessez.

Share this post


Link to post
Guest ergolon

Dear Jessez,

thanks for your instructions!

NOTE: This file reflects that my network is accessed through wireless (en1), therefore access with wired ethernet the en1 should be changed to en0 (Lines 17, 20, 21, 25, 36, 37, and 38).

Looks like you´re a little off here? I find "en0" in line 16 (not 17), 19&20 (not 20&21), 24 (not 25).

And there´s no "en0" in lines 3X at all? Looks like you changed the code after writing these comments?

NOTE: This file also relects that the network I use is a 192.168.1.x network, and don't want traffic from any other computers on my network, so if you have a different network address (DHCP or static) , change the line 37 in the file.

For example, I believe that D-Link routers use 192.168.0.x, so the change would be: block drop in quick on en1 from any to 192.168.0.255

If you want local network traffic, then comment out lines 36,37,38.

I´d really like to have local traffic... so what lines do I change here?

Thanks a lot for your help and thanks for taking the time to share these rules... it´s really appreciated!

Best wishes,

ergolon

Share this post


Link to post

Hi ergolon,

Sorry this one didn't get sent to me email for some reason, so it's lucky I was looking for something else today.

I checked the pf.conf that I posted, and all the line numbers are correct up to the 30's as you said, there aren't any en0 or en1 in the 30's.

When copying it ###Macro is line 1.

I have made a revised one that should enable local network access and also puts back the apple anchor as it seems that not using it messes up some airport or bonjour type stuff.

Anyway, I'll post the new pf.conf for you in a few minutes, assuming you are using en0 from what you said in your post.

Regards,

jessez

Share this post


Link to post

Hi ergolon,

Sorry this one didn't get sent to me email for some reason, so it's lucky I was looking for something else today.

I checked the pf.conf that I posted, and all the line numbers are correct up to the 30's as you said, there aren't any en0 or en1 in the 30's.

When copying it ###Macro is line 1.

I have made a revised one that should enable local network access and also puts back the apple anchor as it seems that not using it messes up some airport or bonjour type stuff.

Regards,

jessez

ps seem to be having a problem with posting so apologies if some of this is in two posts.

Also I have the flu and bronchitis now, so hopefully I didn't miss anything in the pf.conf.

pf.conf-ergolon.txt

Share this post


Link to post
Guest ergolon

Hi Jessez,

thanks a lot for your effort... again! :-)

And sorry I´m bothering you once more... maybe you can help... again? :-/

Seems that I can connect to the internet, but I still can´t connect to my local NAS (192.168.1.10) via AFP when I´m connected to AirVPN and PF is enabled with the modified configuration (pf.conf-ergolon.txt).

I changed these lines to match my setup (complete setup file is attached):

Line 34: changed from...

"block drop out inet from 192.168.10.0/24 to any"

to

"block drop out inet from 192.168.1.0/24 to any"

...since my network is in the 192.168.1.x range.

Line 43: changed from...

"table < vpn > const { xxx.xxx.xxx.xxx, xxx.xxx.xxx.xxx }"

to

"table < vpn > const { 94.242.205.234 95.211.169.3 95.211.191.33 178.248.30.131 }"

since I´m only connecting to Herculis, Castor, Leporis or Sepentis.

Lines 58-63: Commented out, since I´m only connecting through port 443.

---

This is what I get when I run "pfctl -sr":

No ALTQ support in kernel

ALTQ related functions disabled

scrub in on tun0 all fragment reassemble

scrub-anchor "com.apple/*" all fragment reassemble

anchor "com.apple/*" all

block drop out inet from 192.168.1.0/24 to any

block drop in quick inet6 all

pass out quick inet from 127.0.0.1 to any flags S/SA keep state

pass out quick inet from 192.168.1.0/24 to <vpn> flags S/SA keep state

block drop quick inet from <private> to any

pass quick inet proto tcp from any port 20:21 to any port 49152:65535 flags S/SA keep state

pass out quick inet from 10.4.0.0/16 to any flags S/SA keep state

pass out quick inet from 10.5.0.0/16 to any flags S/SA keep state

---

Like I said:

Connecting to internet: yes

Connecting to local machines: no

Any ideas on that?

Best wishes and get well soon!

Greets,

ergolon

PS. One more question: There is no en0 anymore since you changed "scrub in on en0 all fragment reassemble" to "scrub in on tun0 all fragment reassemble". That´s correct though, right?

Share this post


Link to post
Guest ergolon

Sorry, here´s the attachment...

pf.conf.txt

Share this post


Link to post

Hi ergolon,

No problem asking for help, I learn more all the time by helping others sort out pf issues.

Ok, so the line: "block drop out inet from 192.168.1.0/24 to any" is dropping everything in your local network, because I don't want any other computers on my network accessing or even seeing my computer. I do need access to my router though, so if you are using static ip's it's very easy by putting in a line such as this:

# Allow access to router (or NAS in your case) (My router is 192.168.10.1 and the .211 my computer, so just add a line like this one)

pass out quick inet from 192.168.10.211 to 192.168.10.1 flags S/SA keep state

If your network is all DHCP assigned it will be a bit more work to set up the rules. If that is the case, you can use this site (http://www.subnet-calculator.com/cidr.php) to determine the masks to make the rules from, or tell me what the dhcp range is on your network and I'll try to figure out the local access rule(s) for you.

As an after thought you might just be able to take that line out (block drop out inet from 192.168.1.0/24 to any) and have it work fine. The test will be whether you have any internet access when not connected to AirVpn. Also with pf I have determined it has to be disabled and re-enabled after rule changes and occasionally if you are changing the rules a lot in one session, the mac may need to be rebooted to fix the firewall. Here's a good command for flushing rules during testing:

sudo pfctl -Fa -f /etc/pf.conf -- this one flushes and reloads pf.conf - I usually use sudo pfctl -d, then the flush then sudo pfctl -e in that order.

sudo pfctl -vvv -f /etc/pf.conf -- good for checking the validty of the rule set, but doesn't enable or disable pf.

"scrub in on tun0 all fragment reassemble" is correct, since tun0 is where all the (not local) network traffic is going in and out"

I hope that helps,

jessez

Share this post


Link to post

Trying to set up all this is up turning out to be a little to complex for me.

I need a solution that is more Mac and less Linux... I am on OSX 10.8, could anyone please suggest a easy to use firewall (commercial or not) that would handle the necessary settings?

Share this post


Link to post

Trying to set up all this is up turning out to be a little to complex for me.

I need a solution that is more Mac and less Linux... I am on OSX 10.8, could anyone please suggest a easy to use firewall (commercial or not) that would handle the necessary settings?

Hello!

Mac OS X is based on UNIX-compliant OpenBSD, which is probably the strongest feature of the OS. The recommended firewall is pf, which is one of the best packet filtering tools currently existing in the world together with iptables. There is no reason for which a Mac user should be intimidated by some of the finest software in the world, don't be afraid, as well as there is no reason for which a Mac user should be afraid of using for real his/her own system, i.e. a UNIX-like system.

pf is available by default on OS 10.8 because it is pre-installed by Apple so you will not need any installation.

jessez has prepared instructions and ready-to-use script which are Mac OS users friendly:

https://airvpn.org/index.php?option=com_kunena&func=view&catid=3&id=1713&limit=6&limitstart=36&Itemid=142#2532

Kind regards

Share this post


Link to post
Guest ergolon

Hi Jessez,

thanks again for your reply!

Following your advice, I added these lines:

# Allow access to Router & NAS (Router 192.168.1.1 | NAS 192.168.1.10 | Computer 192.168.1.2)

pass out quick inet from 192.168.1.2 to 192.168.1.1 flags S/SA keep state

pass out quick inet from 192.168.1.2 to 192.168.1.10 flags S/SA keep state

And thanks for all the pfctl-options... they come in very handy.

Now I´m able to connect to the webinterface of Router & NAS, which is great!

One thing that still won´t work (and what I desperately need ;-) is connecting to my local NAS (192.168.1.10) via AFP or SMB.

NAS via Web-Interface: yes

NAS via SMB or AFP: no

Any ideas?

---

This is what I get when I run "pfctl -sr":

No ALTQ support in kernel

ALTQ related functions disabled

scrub in on tun0 all fragment reassemble

scrub-anchor "com.apple/*" all fragment reassemble

anchor "com.apple/*" all

block drop out inet from 192.168.1.0/24 to any

block drop in quick inet6 all

pass out quick inet from 127.0.0.1 to any flags S/SA keep state

pass out quick inet from 192.168.1.0/24 to <vpn> flags S/SA keep state

block drop quick inet from <private> to any

pass quick inet proto tcp from any port 20:21 to any port 49152:65535 flags S/SA keep state

pass out quick inet from 192.168.1.2 to 192.168.1.1 flags S/SA keep state

pass out quick inet from 192.168.1.2 to 192.168.1.10 flags S/SA keep state

pass out quick inet from 10.4.0.0/16 to any flags S/SA keep state

pass out quick inet from 10.5.0.0/16 to any flags S/SA keep state

---

Best wishes and thanks again!

ergolon

Share this post


Link to post
Guest ergolon

Hi zurahthustra,

I´m just in the process of buiding a nice little mac-like setup with the kind help and pf-expertise of Jessez.

Once the setup is working, I´d be happy to share the solution, which is based on Shimo (http://www.chungwasoft.com/shimo/) and two AppleScripts making use of the internal pf-firewall.

Should be pretty easy to handle.

I´ll post the instructions in this thread once the finishing is ready. :-)

Best wishes,

ergolon

Share this post


Link to post

Hey all - actually just built something to control firewall and vpn last week but been out of town. I was planning on posting tonight. Basically:

- App with embedded apple scripts

- one click to start or close the firewall and VPN

- lets you select and start your available tunnelblick VPN connections

- based on jessez's scripts so can be updated separate of this app

- checks to make sure both firewall and VPN are connected for a true secure connection

- 10.8 users get new Notification system (just for fun)

Basically it runs the shell scripts to check status's and open and close connections. Built it for myself, but would happily maintain it for other user's feedback. It will likely become a full Mac app with a real interface soon.

Share this post


Link to post

Hi,

Yes I have been looking at those instructions. But is there an easy way to turn pf-firewall on and of? I don´t always to run traffic through VPN.

Share this post


Link to post
Guest ergolon

Sounds amazing!

Looking forward to you releasing it!

Best wishes,

ergolon

Share this post


Link to post

Hi ergolon,

About this:

One thing that still won´t work (and what I desperately need is connecting to my local NAS (192.168.1.10) via AFP or SMB.

NAS via Web-Interface: yes

NAS via SMB or AFP: no

Any ideas?

After some serious thought, the only ideas I can think of are these:

You may have to add lines like the one to allow ftp access, with the ports listed and IP addresses for your computer and your computer(s) you are using for smb and afp. The ports for SMB would be: on UDP ports 137, 138 & TCP ports 137, 139 and 445. For afp would be: TCP 548.

Here's a great list of ports used by apple products, just for everyones reference: https://support.apple.com/kb/ts1629

I don't know why exactly that would work, since all ports below 1024 should be open in the firewall anyway, but it's something to try.

The other thought I have is it maybe that the ruleset is blocking those connections before they are getting to a rule that would pass the traffic, so maybe the rule to allow the connection needs to be above any rule that has "quick" in it, because of the way pf parses rules.

The way pf works is that any rule has "quick" in it will either block everything matching, for a rule that is a "block" rule , or pass everything that is a "pass" rule, but then there is no further parsing of the traffic after that. I have a hard time getting my head around that one, so sorry if the explanation is very good. Anyway, for the block rules in your case, try taking out the "quick"(s) and see what happens. The only advantage to having "quick" in the ruleset is to speed up the firewall parsing rules, which is one of the things that makes pf great, and also is no security risk.

The link that admin posted in post# 4851 will probably explain that better than I have about "quick" and parsing and I know there is some info about that in man pf.

So, let me know how it goes. I need some sleep but want to post another couple of things here first, so I'll leave it there, but this issue is one that needs to be solved for you and anyone else that needs similar to what you need, so let's work it out.

Best regards,

jessez

Share this post


Link to post

Hi zurahthustra.

quote: But is there an easy way to turn pf-firewall on and off?

yes easy, but maybe not a great idea unless you are behind another firewall such a router, etc... Here's the commands:

off/disabled: sudo pfctl -d

on/enabled: sudo pfctl -e

and to flush the rules is this, but it doesn't change the enabled/disabled state: sudo pfctl -Fa

Hope that helps,

jessez

Share this post


Link to post

Hi tc3182,

That sounds great, but there is going to be a problem with the scripts for pf rules and I really wouldn't recommend using the one from the beginning of this topic for two reasons; as we've all been learning and figuring out how this firewall works, it's become apparent that there are many scenarios using Ip address space and subnets, and therefor there would need to be a number of scripts to cover as many of the different scenarios as possible without making huge numbers of them, and the other thing is that there have been server changes since I first posted that script, and it didn't include all the servers when I made it. So it will be easy to fix adding every server IP in the the <vpn> rule, which shouldn't really be any security problem and people who are concerned about that can easily take out the server addresses they don't want. Also the lines that allow all 3 ports that are available for a VPN connection (53, 80 and 443) need to be added to the script, so that that part will work in any scenario.

So, now I need some sleep, but tomorrow I should have some time to start working on new scripts if you like, and I will be happy to help with anything else I can with regards to your project as pf is a bit of a pain in the butt to configure and I'd be happy to have some scripts/software to help with that.

As an aside has anybody tried Icefloor from Hanynet lately? I tried it in versions 1.0 and 1.1, and found it too much of a beta to be practical, but I see now that they are up to v.1.3 (I couldn't find the release date - sorry) and maybe would be worth taking a look at it again if no-one has tried it recently.

Best regards,

jessez

Share this post


Link to post

What I built out manages pfctl and tunnelblick - it's not intended to help with configuring either of those. Nothing earth shattering, just convenience for starting the built in pf firewall and selecting then starting/stopping a tunnelblick connection. If already connected, it will let you disconnect both. A simple on/off switch.

Since it calls the pfctl, it is agnostic to the specificities of the pf.conf. The pf.conf rules are NOT embedded in the scripts. Start with Jeseez's above, tweaked for updates and/or your specific needs.

Beyond convenience it does some basic checks to make sure that you have both firewall and vpn connected and warns you if not.

I'll drop this up here now for use as-is, and gladly take feedback. This is purely a hobby for me and limited to pf and tunnelblick.

Jessez, I'd like to make something more robust and with a bone fide interface. If you have some scripts/etc to share that'd be great, I can integrate/rebuild on a stronger platform.

App + readme attached.

PF-VPN.zip

Share this post


Link to post

Hi tc3182,

OK, I see, pretty much everything I said was totally irrelevant...lol, my mistake.

What you are doing sounds great, I'll take a look at it. I should say now though that I use viscosity, so I won't be able to tell much if anything about the tunnelblick part.

Thanks for your work and best regards,

jz

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image
Sign in to follow this  

×
×
  • Create New...