Jump to content
Not connected, Your IP: 18.118.162.128

Search the Community

Showing results for tags 'gufw'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • AirVPN
    • News and Announcement
    • How-To
    • Databases
  • Community
    • General & Suggestions
    • Troubleshooting and Problems
    • Blocked websites warning
    • Eddie - AirVPN Client
    • DNS Lists
    • Reviews
    • Other VPN competitors or features
    • Nonprofit
    • Off-Topic
  • Other Projects
    • IP Leak
    • XMPP

Product Groups

  • AirVPN Access
  • Coupons
  • Misc

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


Website URL


Twitter


Mastodon


AIM


MSN


ICQ


Yahoo


XMPP / Jabber


Skype


Location


Interests

Found 3 results

  1. WARNING: this guide assumes that you have no IPv6 connectivity. If you have, you should block outgoing IPv6 packets while connected to the VPN with "ip6tables". Please see https://airvpn.org/faq/software_lock Here is a guide to prevent leaks and completely stop traffic when the VPN drops in Linux. If the openvpn connection drops you will not be able to access the internet while the firewall is activated. Just click the "stop firewall" button and reconnect with Openvpn, then re-enable to firewall. If you wish to connect to the internet without openvpn just press the "stop firewall" button within firestarter. This way you are protected in the VPN drops. Tested on Debian, Ubuntu, Mint, and OpenSUSE. This is assuming you have already setup OpenVPN on Linux after following the guide here-----> https://airvpn.org/linux/ 1). Install Firestarter firewall for Linux by opening the terminal and typiing ----> sudo apt-get install firestarter 2). Allow traffic on the OpenVPN interface by updating /etc/firestarter/user-pre. There are multiple ways to do this depending on your Linux Distro. Here are 2 examples. A). Open the terminal with root privileges and type-----> gksu gedit /etc/firestarter/user-pre Add the following text to /etc/firestarter/user-pre and save----------> $IPT -A INPUT -i tun+ -j ACCEPT $IPT -A OUTPUT -o tun+ -j ACCEPT . The second way is simply to go to the folder /etc/firestarter/ and click on the file USER-PRE and open in terminal with root privileges. Then add the code and save-----> $IPT -A INPUT -i tun+ -j ACCEPT $IPT -A OUTPUT -o tun+ -j ACCEPT 3). Restart Firestarter by opening the terminal and typing ------------> sudo /etc/init.d/firestarter restart 4). Follow the images below to finish. You may have to restart the machine afterwards. <a href="/external_link/?url=http%3A%2F%2Fbeta.photobucket.com%2F" target="_blank"><img src="/external_image/?url=http%3A%2F%2Fi1285.photobucket.com%2Falbums%2Fa582%2Fcorsair28%2F01firewallwizard.png" border="0" alt="Photobucket"/></a> <a href="/external_link/?url=http%3A%2F%2Fbeta.photobucket.com%2F" target="_blank"><img src="/external_image/?url=http%3A%2F%2Fi1285.photobucket.com%2Falbums%2Fa582%2Fcorsair28%2F02firewallwizard.png" border="0" alt="Photobucket"/></a> <a href="/external_link/?url=http%3A%2F%2Fbeta.photobucket.com%2F" target="_blank"><img src="/external_image/?url=http%3A%2F%2Fi1285.photobucket.com%2Falbums%2Fa582%2Fcorsair28%2F03wizard.png" border="0" alt="Photobucket"/></a> <a href="/external_link/?url=http%3A%2F%2Fbeta.photobucket.com%2F" target="_blank"><img src="/external_image/?url=http%3A%2F%2Fi1285.photobucket.com%2Falbums%2Fa582%2Fcorsair28%2F04selectthepolicytab.png" border="0" alt="Photobucket"/></a> <a href="/external_link/?url=http%3A%2F%2Fbeta.photobucket.com%2F" target="_blank"><img src="/external_image/?url=http%3A%2F%2Fi1285.photobucket.com%2Falbums%2Fa582%2Fcorsair28%2F05nothingdotooninboundp.png" border="0" alt="Photobucket"/></a> <a href="/external_link/?url=http%3A%2F%2Fbeta.photobucket.com%2F" target="_blank"><img src="/external_image/?url=http%3A%2F%2Fi1285.photobucket.com%2Falbums%2Fa582%2Fcorsair28%2F06selectoutboundtraffic.png" border="0" alt="Photobucket"/></a> <a href="/external_link/?url=http%3A%2F%2Fbeta.photobucket.com%2F" target="_blank"><img src="/external_image/?url=http%3A%2F%2Fi1285.photobucket.com%2Falbums%2Fa582%2Fcorsair28%2F07policyoutboundsetrest.png" border="0" alt="Photobucket"/></a>
  2. Personally I'm using gufw for linux, and it works very well. However, it's important to remember that gufw is just a graphical frontend for ufw, and ufw, in turn, is just a friendlier system for manipulating IPTABLES (which is again a system for manipulating netfilter directly in the running kernel). Gufw is perhaps over simplified, which is why I find it not really that great for anything else than providing an overview of your rules and turning the firewall on an off. With regards to firestarter, I have tried it once, but I didn't really have any good experience with it, since, as you guys have already posted, it seems rather poorly coded and does some odd things when manipulating IPTABLES. What I found invaluable about ufw is its ability to specify rules based on interface and its simplictity even though its quite powerful. This was my main motivation for using it over other solutions like Firestarter, and Shorewall was too complicated for my taste. My rule approach goes like this: Allow connections OUT to AirVPN servers I use the most (for connecting/reconnecting to the AirVPN service, entry IP's, marked RED on the screenshot) Allow connections OUT FROM the tun0 interface TO anywhere (when I'm connected, this is the interface used to communicate to the Internet, marked GREEN on the screenshot) Allow connections (UDP/TCP) IN TO the tun0 interface to a specific port (to enable AirVPN's port forwarding feature, marked BLUE on the screeshot) Allow connections IN FROM the 192.168.1.0/24 network TO the eth0 interface (enable home networking. Notice how it's on a different interface, YELLOW) Allow connections OUT FROM the eth0 interface TO the 192.168.1.0/24 network (enable home networking, also on the eth0 interface, YELLOW) Block ALL other traffic (by choosing DENY/DENY in gufw) When the VPN drops (and the tun0 interface is disabled), the only connections allowed OUT from the computer are to the AirVPN server IP's (to reconnect) and the local 192.168.1.0/24 network (to still function in the LAN). And the only connections allowed TO the computer are from the local network as well. No leaks. Now, the gufw GUI doesn't allow for specifying the interface (remember, it's over simplified), so to do that, it's necessary to use ufw directly. Gufw can, however, display the rules when created by ufw. For example: "sudo allow out on tun0 from any to any" - is quite straightforward, and of course creates the rule that allows for communication TO the Internet when connected to AirVPN. "sudo allow in on tun0 from any to any port xxxxx" - enables the port forwarding feature by allowing packets to the specified port on the tun0 interface to pass through. Tips: - the order of the rules is very important - mimic mine on the screenshot attached - to add rules in a specific order from the command line, use "insert x": "sudo insert 3 allow in on tun0 from any to any port xxxxx" - inserts the rule at the 3rd position and moves rules below it downward, includin the previous rule nr 3. - when adding rules via the commandline, press F5 in gufw to force a refresh and view the newly added rule - the UFW manual is well worth reading, although you may not need any more information than offered in this post - with this approach, you're blocking multicasting addresses possibly forwarded by your router. Just a thing to have in mind in case you need it; it is of couse easily remedied by creating a new rule allowing the address(es). Let me know how this works for ya
  3. Hi, I've been using ufw/gufw for a long time now to prevent leaks which works great after I followed worric's guide https://airvpn.org/topic/5586-prevent-leaks-with-linux-firestarter-also-stop-traffic-when-vpn-drops/?do=findComment&comment=5642 ​However there's one drawback, which is that all IP's must be resolved prior to connecting because the DNS resolution doesn't get through the firewall. The problem with this is that you can't let it choose the best server for the area/region by resolving for instance gb.vpn.airdns.org. It seems that the best you can do is get a random selection from the list of servers. Is there a way around this? For example to only let that dns query through? or am I wrong somehow? Any clarification is greatly appreciated! ​ Edit: Grammar
×
×
  • Create New...