Search the Community

A company I work at utilizes the Sophos UTM Firewall for packet filtering. While it's perfectly okay for me when they block torrent sites or porn, they also block games sites (steampowered.com), personal storage services (wuala.com) and anonymizers (airvpn.org). They even drop packets to social network domains (facebook.com) (no blocking message, Firefox says it simply couldn't connect). OS is Windows XP. Regardless of the changes made to the computer PC Sheriff restores a preconfigured snapshot after every reboot. But what serious changes can be made if the only user you can login to is restricted? So, first thought: proxy. But hell no, proxy-listen.de is blocked! And pretty much every other website offering a proxy list which I found on the internet, too. Okay, I need new ideas. TOR. Oh no. Blocked. Then, by accident, I typed airdns.org instead of airvpn.org and Firefox successfully connected to the AirDNS website. There are two links - AirVPN homepage, and a link to the DNS FAQ entry. Both work, although airvpn.org is blocked. I can even type airvpn.org after this and Firefox could establish a connection. This really turned everything upside down. What if torproject.org can be unlocked in the same way? So I searched for Torproject.org with Google and clicked the link. Success! But why on earth does this work? I could even download the package! I installed it, I attempted a connection. It's stuck at "Connecting to a relay directory". Last week I let it run for an hour and it could successfully connect to a directory but couldn't go further. Pity. Don't have the time to let it run longer. My ideas to solve this: Linux Live CD. But I cannot configure the network settings because there seems to be no DHCP server and I cannot view network settings, registry, command prompt, the device manager, etc. for valuable information on IPs for example.Configuring a small proxy at home and connecting to it. Since the firewall is clearly working in blacklist mode it would work. But I need some advice on which software to use and how to configure it to redirect traffic. Never did that before, honestly. I appreciate every kind of input you can share, especially on other ideas and guides. Thank you in advance.

Hello everyone, I purchased AirVPN recently to keep my torrent traffic private, and am just now getting around to putting it to use. However, I'm getting some extremely slow speeds, or rather no speed at all. I'm using the AirVPN client and letting it connect to a recommended server, but consistently get 0 B/s (Yes, that's B/s) download and upload. It will occasionally jump to ~100 B/s, or even ~100 KB/s, but drops back to 0 B/s shortly after. I also took the speed test on this website which gave the following results: Down: 0.477 Mbit/s Out, 0.470 Mbit/s In (98%), 1MB - Up: 0.382 Mbit/s Out, 0.322 Mbit/s In (84%), 1MB - Date: Tue, 31 Mar 2015 19:28:09 GMT - Buffers: 1MB/1MB - Laps: 3, Time: 325.56 secs Not quite 0 B/s like the AirVPN client says, but still unacceptably slow considering I get around 50-60 Mbits/s download and upload (Verizon) when not connected to the VPN. I'm a total greenhorn when it comes to just about anything networking, and assume I messed something up when trying to configure the VPN with my torrent client (Deluge), so I'm just going to go into what exactly I've done so far and then maybe someone here can give me some guidance. First, I followed the P2P optimization guide found here: https://airvpn.org/faq/p2p/ In the end, my settings look like this: http://i.imgur.com/SnGiGJ9.png Which looks correct to me, for whats its worth. Second, I setup Windows firewall rules to block Deluge's connection in the event that the VPN unexpectedly disconnects, or I forget to turn it on or something. I did so following this guide: https://vpn.ac/knowledgebase/55/Windows-Firewall-rules-to-block-P2PorTorrent-traffic-if-VPN-disconnects.html I tested to make sure it works with the little speed I have and it does seem to work. I'll get a few KB/s while connected to the VPN, and it will stop or start back up when I disconnect and reconnect to the VPN respectively. Aside from those two things, I've done nothing else, and don't even know if there is still more I need to do aside from those two things. I'm hoping the pros here can point me in the right direction because what I've tried to find out on my own so far has been fruitless. Thanks in advance!

Hi everybody, At the moment i am using Comodo internet security 8 and i like it.I have not noticed any security problems whilst using it but from reading some of the comodo forums its not as secure as CIS 7. I have used Airvpn's guide to block everything outside the VPN which is mainly why i use it. I would like to know some of the views from Airvpn and its users on what the best firewall and antivirus solution is.Also recently with the privdog issue bundled with comodo 6 and 7 and also its browsers i'm less sure that security and privacy is really their top concern.I have not been able to find a decent explanation about the privdog issue from comodo so am looking for an alternative. I am not a wreckless googler clicking on anything but i worry with the bugs in 8 i may not as secure as i thought. Some of the videos i've seen about how easy it is for those who know how to bypass its security make me wonder if comodo is still the best option for me. What do you guys think and recommend. This is the link about comodo 8 issues ( https://forums.comodo.com/news-announcements-feedback-cis/do-you-still-think-that-comodo-v8-is-safe-to-use-t108660.0.html )

Hello, I am testing airvpn and I was wondering why I have to use Windows Firewall rather than my Comodo Firewall. I don't want to use Windows. My previous VPN did not use it and I seemed to be secure after doing port checks and so on. It is confusing having 2 Firewalls active. For a new user it will be too difficult to mess around with Firewall setting so mybe there should be an option to use another Firewall when installing airvp program?

Dear community, Hoping someone can help with this.... I am trying to setup a firewall script for my router running Tomato Firmware 1.28.0000 -121 K26ARM USB AIO-64K by SHIBBY on a Netgear R7000 Nighthawk on mostly default settings apart from the VPN Client. The script is to block all non-VPN traffic even if the connection fails and i have tried several suggestions made in the forums without success. Below is the script most people have success with (except me): iptables -I FORWARD -i br0 -o tun0 -j ACCEPT iptables -I FORWARD -i tun0 -o br0 -j ACCEPT iptables -I FORWARD -i br0 -o vlan2 -j DROP iptables -I INPUT -i tun0 -j REJECT iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE (from https://airvpn.org/topic/4287-how-to-block-all-traffic-with-dd-wrt-if-vpn-connection-fails/) I think the problem lies in the assigned interface names. Below is my current routing table while VPN'd: In short can someone modify the script to suite my arrangement?? or let me know what direction I need to take to set this up.... using the script above lets traffic through even if I stop the VPN client and my attempts to modify usually blocks all traffic. Any help would me much appreciated, EWS

Hi everyone JC here, I havn't found anything useful on the fourms so far but everytime I connect to the severs any host I keep getting a short fragment network attack and the whole connection gets cut and forced to another server where it will ontinue the same loop. This is mainly while torrenting and has happended on servers in a few countries. Is there a way to fix this because the native firewall in my AV/IS is useless and I have used outpost before I started using torrents. If there is anymore information I can go into great detail but it's 4:47AM now after I've tried for about 3hrs to confiq it right. Any help or suggestions would be much appreciated.

Hi I've tried to heed the advice given in the how-to thread for this, but I haven't been able to alter it to work for Firewalld. Programs mentioned in the thread like Firestarter and gufw don't seem to be in the repos. My best development so far has been using the "Panic mode" function to block all traffic, and then allowing only certain programs. However I'm not sure what to allow in order to get OpenVPN to work (other than OpenVPN obviously). Can anyone please help with this?

I need to set up port forwarding in order to run a Bitcoin client (Bitcoin Core). The default port for Bitcoin is 8333, so I tried using that number for the local port and a random number for the remote port. Unfortunately in this case I get only 8 connections (a symptom that the port is closed). If I use a random number for both the local and the remote port I get an higher number of connections (a symptom that the port is open), but after several hours the total uploaded data is not significantly higher than the downloaded data (a symptom that I'm not really contributing to the Bitcoin network). What can I do? Also I'm using Gufw as my firewall of choice. In this case which port should I allow? The local or the remote one? Thank you.

Hi guys, I set up Comodo Firewall in the way you descriped it on this tutorial https://airvpn.org/index.php?option=com_kunena&func=view&catid=3&id=3405&Itemid=142 I did everything correctly (I think so) but I'm still leaking DNS. When I access AirVPN homepage via VPNClient it says at the bottom "not connected" Any ideas how to fix this?? I can see my own IP address

Hi guys! So I am attempting to setup my Transmission bittorrent client with Transdrone (Transdroid) app on Android. I want to be able to use this android remote app to connect to my desktop (where Transmission is running) while I am connected to this VPN. So I: 1) Connected to a server (say Server A). 2) Configured port forwarding on AirVPN's site (AirVPN > Client Area > Forwarded ports). Let's say I forwarded port 7712 and 7713. 3) Logged into Transmission and set port 7712 as the Incoming port (Transmission > Preferences > Network) and made sure 'Pick a random port at startup' was unchecked. 4) Allowed remote access (HTTP) from port 7713 and configured username/password authentication. Made sure 'Only allow these IP addresses' was unchecked. 5) Then set my firewall to allow incoming connections from port 7712 and 7713 (TCP). * I DID NOT log into my router and configure port forwarding for these ports (or any for that matter). When I hit the 'Test Port' button (Transmission > Network) to test port 7712, it says 'Port is OPEN'. Cool. ----- So what is my post about? Well there are some instructions on this page that confuse the heck outta me: https://airvpn.org/faq/p2p/ I do not understand what is being communicated here... "If you forward a port for a p2p torrent client, do NOT remap it to a different local port and make sure that the torrent client port matches the remotely forwarded port number" - What is meant by "do not remap it to a different local port"? Am I supposed to log into my router and setup port forwarding for port 7712 & 7713? "do NOT forward on your router the same ports you use on your Bittorrent or eMule client (or any other listening service) while connected to the VPN" - Doesn't this contradict the previous instruction? What is the correct way to configure port forwarding so that my P2P client will work with my android remote app? (and seed)

I would like to set up my router's firewall to deny all inbound and outbound traffic unless it is coming from or going to the airvpn servers. Is there a group of static IP addresses I can use to define this? Thank you.

I have been configuring my firewall through UFW and GUFW following "Prevent leaks with Ubuntu Linux & gufw/ufw (thanks to worric)" at https://airvpn.org/topic/5586-prevent-leaks-with-linux-firestarter-also-stop-traffic-when-vpn-drops/?do=findComment&comment=5642 I have followed the instructions with success: incoming and outgoing traffic ok when tun0 is up, and all traffic denied when tun0 is down. However It seems a server's IP address is not always the same as the one stated in the client area when connected, so when reconnecting firewall won't let out going traffic to a new IP address (which is correct). Where can i find favorite server's IP address and variations?

How do you configure the firewall (I'm wondering about both Comodo (Windows) and GUFW (Linux)) when using Air VPN over TOR? Or, are the firewall settings to prevent leaks the same as if I were just using Air VPN? Assuming I was fine with my ISP seeing that I'm using TOR, is there any reason to choose TOR over VPN instead of VPN over TOR? I read the TOR page on this site, but I just want to be sure there aren't cases in which I shouldn't choose VPN over TOR. I've heard some people talk about wanting to hide from their ISP the fact that they are using TOR. Why is this? Do some ISPs not tolerate their customers using TOR?

I have used AirVPN quite a long time, but recently I noticed something which, in my opinion, need further explanation. When I am disconnected from AirVPN, my firewall is able to pass all the tests on Gibson Research Corporation's site. When I am connected to one of AirVPN servers (it doesn't matter which precisely - my test was proceeded on Linux Ubuntu 13.10 and Windows 8.1), Gibson's report reveals holes in firewall. They are related actually, as I presume, to AirVPN server's firewall, not mine. However, port 88 (Kerberos) is open. Furthermore, system replies to ping. Could you explain, is it deliberate action? Is it safe? Is my security copromised? Can someone obtain unauthorized access to my computer through port 88? I would like to emphasize in the end that my firewall works properly. I use Online Armor and I have tested AirVPN connection with Comodo Firewall as well. Thank you. Please respond. Screenshots are below.

Hi AirVPN Forums, Love The Service!. Ok, Well this is my Enquiry, is there a way to Exclude an IP Address on the router, & put it outside the VPN Connection. for example, My laptop is 192.168.1.8 & Thats happily running within VPN. BUT i want 192.168.1.200 To be Outside of this zone & be able to access the internet with 0 VPN Connection.. So it will show the ISP's Provided IP Address.. Sorry if this question is somewhat vague & Badly Formatted. Thanks. Stan464. More INFO Router: Netgear WNR834B DD/FW: DD-WRT OpenVPN Build. GWIP: 192.168.1.1 ISPGW:192.168.0.1

Hello, You reccommend Comodo as being a very good firewall for Windows. What about Smart Security from Eset? And if so do can you provide some settings that we should use in order not to get leaks?

This guide shows how to set rules to prevent leaks in case of unexpected VPN disconnection and provides you with clear scripts ready to be used with basic modifications on Red Hat Enterprise Linux and RHEL rebuilds such as Oracle Linux, Scientific Linux, X/OS, CentOS etc. THANKS TO JESSEZ - ORIGINAL POST BY JESSEZ (minor editing & clean-up by Air staff) This method requires the ipset package: sudo yum install ipsetRHEL 6 and rebuilds (Oracle Linux, Scientific Linux and CentOS) do not have a kmod-ipset that I could find. The ip_set module has to be loaded manually as neither netfilter, iptables nor conntrack call the module themselves. As far as I know some Linux distros do have a kmod for ip_set so that would make usage of sysconfig/ipset.conf not necessary and also could cause a boot-time error (fatal nor not). The ip_set module has to be loaded and a script run to load the ip_set script (creates and contains the AirVPN server IP addresses) so that there is a table to be read by the time iptables_restore runs (otherwise iptables_restore throws the error that no ipset "airvpn" exists). So there are 3 files. The first and the second file can be found attached to this message. The last one is a system file that needs a modification. 1 /etc/sysconfig/ipset.conf This script tests whether the ip_set module is already loaded. If not it loads it into the kernel (modprobe). ipset.conf.txt 2 /etc/sysconfig/ipset-airvpn.sh This file creates and fills the ip_set table of AirVPN server addresses. I haven't listed the servers, so that no-one can just open the file and get the server IPs. Add the ones you want where the a.b.c.d 's are. Add or subtract lines as necessary. I think I added enough buffers so that all the servers should be able to go into the table (which lives in RAM while the system is up and is lost at shutdown/re-start). After running the script use: sudo ipset -L airvpn -to make sure all the servers you added to the script are there (It's easiest just to count the lines if you know how many servers you added in the first place), if not, change the part: hashsize 65536 to the next larger: hashsize 131072 (doing this obviously eats up RAM, so don't change it unless you need to) and note that the hashsize can start at 1024 and can only be a power of 2 (1024, 2048, 4096, ..., 131072...) If you're only using one or two servers and you need to save RAM, just change it down, re-run the script and issue the command sudo ipset -L airvpn again to check that all the desired servers are listed. Keep doubling the hashsize until they are. If anyone is wondering about the -exist option, it's there so that in case of accidental duplication of an IP address the script won't fail. iptables-airvpn_2013-01-19.txt 3 /etc/init.d/iptables This is the system file, so be careful; add 2 new lines that become line 55 and line 56: # Load /etc/sysconfig/ipset-airvpn.sh to make the airvpn table sh /etc/sysconfig/ipset-airvpn.sh Ok, that should be it, iptables and the "airvpn" ipset table should now survive a reboot with no errors. Test by rebooting, and trying Internet access of any and /or several kind(s) before starting a VPN connection when the desktop is up. If it's working you will have no Internet before starting a VPN connection, and you will be able to connect to any of the servers you added to ipset-airvpn.sh without OpenVPN throwing an error (probably: write UDPv4 []: Operation not permitted (code=1)). Note: rename the attached files according to the names given above. Put the files in the appropriate folders as listed above. Regards, jz

Please see the following guide (courtesy of jessez, thank you very much jessez!): https://airvpn.org/topic/1713-win-mac-bsd-block-traffic-when-vpn-disconnects/page-3?do=findComment&comment=2756

In order to prevent leaks on *BSD and Mac OS X systems with pf, please see this guide by jessez: https://airvpn.org/topic/1713-win-mac-bsd-block-traffic-when-vpn-disconnects/page-2?do=findComment&comment=2532 Thank you very much jessez! Kind regards

EDITED ON 21 Aug 12 EDITED ON 24 Nov 12: added important note for some Linux users, see bottom of message EDITED ON 02 Jun 15: please refer to https://airvpn.org/faq/software_lock for a more advanced set of rules WARNING: this guide assumes that you have no IPv6 connectivity. If you have, you should block outgoing IPv6 packets while connected to the VPN with "ip6tables". Please see https://airvpn.org/faq/software_lock Hello! You can use iptables, a very powerful packet filtering and NAT program (probably one of the most powerful, if not the most powerful of all). iptables is already included in all official Ubuntu distros and most Linux distros, anyway if you don't have it just install it with aptitude. Adding the following simple rules will prevent leaks in case of [accidental] VPN disconnection. In this example, it is assumed that your network interface is eth+ (change it as appropriate; for example, you might have wlan0 for a WiFi connection). a.b.c.d is the entry-IP address of the Air server you connect to. You can find out the address simply looking at the line "remote" of your air.ovpn configuration file. In case of doubts, just ask us. Some of the following rules might be redundant if you have already chains. Assumptions: you are in a 192.168.0.0/16 network and your router is a DHCP server. You have a a physical network interface named eth*. The tun adapter is tun* and the loopback interface is lo. iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT #allow loopback access iptables -A OUTPUT -d 255.255.255.255 -j ACCEPT #make sure you can communicate with any DHCP server iptables -A INPUT -s 255.255.255.255 -j ACCEPT #make sure you can communicate with any DHCP server iptables -A INPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT #make sure that you can communicate within your own network iptables -A OUTPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT iptables -A FORWARD -i eth+ -o tun+ -j ACCEPT iptables -A FORWARD -i tun+ -o eth+ -j ACCEPT # make sure that eth+ and tun+ can communicate iptables -t nat -A POSTROUTING -o tun+ -j MASQUERADE # in the POSTROUTING chain of the NAT table, map the tun+ interface outgoing packet IP address, cease examining rules and let the header be modified, so that we don't have to worry about ports or any other issue - please check this rule with care if you have already a NAT table in your chain iptables -A OUTPUT -o eth+ ! -d a.b.c.d -j DROP # if destination for outgoing packet on eth+ is NOT a.b.c.d, drop the packet, so that nothing leaks if VPN disconnects When you add the above rules, take care about pre-existing rules, if you have already some tables, and always perform a test to verify that the subsequent behavior is what you expect: when you disconnect from the VPN, all outgoing traffic should be blocked, except for a reconnection to an Air server. In order to block specific programs only, some more sophisticated usage of iptables is needed, and you will also need to know which ports those programs use. See "man iptables" for all the features and how to make the above rules persistent or not according to your needs. Warning: the following applies ONLY for Linux users who don't have resolvconf installed and don't use up & down OpenVPN directives with update-resolv-conf script In this case, your system has no way to process the DNS push from our servers. Therefore your system will just tunnel the DNS queries with destination the DNS IP address specified in the "nameserver" lines of the /etc/resolv.conf file. But if your first nameserver is your router IP, the queries will be sent to your router which in turn will send them out unencrypted. Solution is straightforward: edit the /etc/resolv.conf file and add the following line at the top (just an example, of course you can use any of your favorite DNS, as long as it is NOT your router): nameserver 10.4.0.1 # in order to use AirVPN DNS nameserver 31.220.5.106 # in order to use OpenNIC DNS only if AirVPN DNS is unavailable Kind regards Original thread post: https://airvpn.org/topic/1713-win-mac-bsd-block-traffic-when-vpn-disconnects/page-2?do=findComment&comment=2010

Hello! Previous thread on Windows and Comodo to prevent DNS leaks and leaks in case of unexpected VPN disconnection have become very big and detailed. We invite you to consult those threads for details and support, while we publish this message as a quick, clarifying overview of the essential steps. Please note that if you don't use Windows you don't need to read this post. If you use Windows and a firewall other than Comodo, you can anyway take these rules as an example and adapt them to your firewall. This is a minimal set of instructions to prevent any leak in case of unexpected VPN disconnection and prevent, in any case, DNS leaks, on Windows system with Comodo firewall. Comodo firewall is currently the only firewall we recommend for Windows. The free version is just fine for our purposes. Never rename the rules: in case you need support, we need to see what the rules really state. 1) If you're not familiar with a firewall, read Comodo Firewall manual or guides. In particular, please see the following: https://help.comodo.com/topic-72-1-451-4773-global-rules.html https://help.comodo.com/topic-72-1-451-4884-Network-Zones.html 2) Install Comodo Personal Firewall free version available here: https://personalfirewall.comodo.com/ 3) Set the Firewall Security Level to "Custom Policy" 4) Determine or create the Network Zone of your TAP-Win32 network adapter (from now on "AirVPN"). A safe way to define it: IP Range [10.1.0.0 - 10.255.255.255] if you need OpenVPN over SSH/SSL and other alternative connection modes, see also https://airvpn.org/specs 5) Determine the entry-IP addresses of the AirVPN server(s) you wish to connect to: https://airvpn.org/topic/14378-how-can-i-get-vpn-servers-entry-ip-addresses 6) Define a "Global Rule" which blocks everything: Block And Log IP In/Out From MAC Any To MAC Any Where Protocol Is Any The logging is important for troubleshooting if necessary. 7) Put the above Global Rule in the top position. This will block completely your connectivity and let you add a whitelist of Allow global rules put BEFORE this total block global rule. All the "Allow" rules that you want to be evaluated shall be put BEFORE (i.e. higher than) the above block rule. 8) Define a"Global" rule which allows in/out communications of your TAP-Win32 adapter ("AirVPN") both In and Out: Allow IP In/Out From In [AirVPN] To MAC Any Where Protocol Is Any Allow IP In/Out From MAC Any To In [AirVPN] Where Protocol Is Any 9) Do the same for your loopback zone (IP range 127.0.0.1 - 127.255.255.254) Allow IP In/Out From In [Loopback Zone] to MAC Any Where Protocol Is Any Allow IP In/Out From MAC Any To In [Loopback Zone] Where Protocol Is Any 10) Do the same for any entry-IP address of the VPN servers you wish to connect to. For example for Leporis: Allow TCP or UDP In/Out From IP 95.211.191.33 To MAC Any Where Source Port Is Any And Destination Port Is Any Allow TCP or UDP In/Out From MAC Any To IP 95.211.191.33 Where Source Port Is Any And Destination Port Is Any For your comfort, you might define a Network Zone (for example [Air servers entry IPs]) containing only the entry-IP addresses of our servers and then set two rules like Allow TCP or UDP In/Out From In [Air servers entry IPs] To MAC Any Where Source Port Is Any And Destination Port Is Any Allow TCP or UDP In/Out From MAC Any To In [Air servers entry IPs] Where Source Port Is Any And Destination Port Is Any In this way, you will only need to add a single IPv4 address to that Network Zone in order to connect to a new server, instead of defining two additional rules for each server, which may be annoying if you switch between a lot of servers. 11) Add similar rules to allow communications of your device with your router (and within your home/office network, if you wish so). For example, if your network is [192.168.0.0 / 255.255.0.0] define a network zone with IP Range [192.168.0.0 - 192.168.255.255] (let's call it "Home Network") and set the following rules: Allow TCP In/Out From In [Home Network] To In [Home Network] Where Source Port Is Any And Destination Port Is Any Allow UDP In/Out From In [Home Network] To In [Home Network] Where Source Port Is Any And Destination Port Is Not 53 Allow ICMP In/Out From In [Home Network] To In [Home Network] Where ICMP Message Is Any 11a) Allow DHCP "negotiation": Allow IP In/Out From MAC Any To IP 255.255.255.255 Where Protocol Is Any 12) In order to allow "airvpn.org" resolution even when disconnected (and any other hostname you wish to be resolved even when VPN is disconnected), add to your hosts file the line: 95.211.138.143 airvpn.org Do not forget about this change! If we change our main frontend IP address, you will not be able to reach airvpn.org anymore until you remove that line. No more necessary starting with Air client edition 2 "Eddie". 13) If you use the Air client, add rules to allow communications with IP addresses 5.196.64.52 and 95.211.138.143 (two of our frontend servers), In and Out Allow TCP or UDP In/Out From IP 5.196.64.52 To MAC Any Where Source Port Is Any And Destination Port Is Any Allow TCP or UDP In/Out From MAC Any To IP 5.196.64.52 Where Source Port Is Any And Destination Port Is Any Allow TCP or UDP In/Out From IP 95.211.138.143 To MAC Any Where Source Port Is Any And Destination Port Is Any Allow TCP or UDP In/Out From MAC Any To IP 95.211.138.143 Where Source Port Is Any And Destination Port Is Any 14) You can progressively enlarge your whitelist just by adding "Allow" rules before the total blocking rule of point 6) according to your system needs. Keep in mind that there are literally dozens of ways to accomplish the same task with Comodo. Pay attention not to confuse the "-" symbol, which stands for "IP range", with the "/" symbol, which stands for IP address / NetMask. For example, [10.4.0.0 - 10.9.255.255] is correct (the IP range from 10.4.0.0 to 10.9.255.255), while [10.4.0.0 / 10.9.255.255] is NOT correct (IP 10.4.0.0 NetMask 10.9.255.255, which covers almost every existing IP address!). When you have defined all the rules, do not forget to click "Apply" and "OK" in order to store them and make them active for any new connection. Test everything and do not be afraid to experiment before you rely on the secured connection for sensitive data transmissions. Kind regards