Jump to content


Photo

Win - Mac - BSD Block traffic when VPN disconnects


  • Please log in to reply
169 replies to this topic

#21 Orfeo

Orfeo

    Member

  • Members
  • PipPip
  • 11 posts

Posted 17 March 2012 - 12:14 PM

Hello!

The insertion of the new rule didn’t cause a syntax error message. I will test the new configuration in a little while and report back.
Thanks a lot!

#22 sark1138

sark1138

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 17 March 2012 - 03:43 PM

I've seen the VPN/Firewall Blocking instructions for Comodo. You wouldn't happen to have instructions for a recent version of Norton would you? My experience with networking issues is pretty weak.

#23 Staff

Staff

    Advanced Member

  • Staff
  • PipPipPip
  • 7858 posts

Posted 17 March 2012 - 04:25 PM

I've seen the VPN/Firewall Blocking instructions for Comodo. You wouldn't happen to have instructions for a recent version of Norton would you? My experience with networking issues is pretty weak.



Hello!

We're sorry, currently we don't provide step-by-step support for Symantec products. Symantec products are commercial products which offer full customer support, so you might try to have support from their team. You could:

- replicate the rules suggested for any firewall in the forum (Comodo, PF...) on your Norton Firewall

- switch to Comodo: independent peer-reviews performed with high-standard leak tests show that Comodo Firewall in terms of security is highly superior to Norton Firewall (we underline "firewall"); in severe leak tests Norton Firewall 2012 protection rates as "NONE" (!!!) while Comodo rates as "excellent", see for example http://www.matousec.com/projects/proactive-security-challenge/results.php

- Comodo is not open source but it's freely redistributable, see https://personalfirewall.comodo.com

The only software firewalls for old Windows OS that are not useless (or dangerous) toys are (% shows the percentage of passed leak tests, the higher the better):
Comodo Internet Security 5.3.176757.1236FREE 100 %
Online Solutions Security Suite 1.5.14905.0 99%
Privatefirewall 7.0.25.4FREE 98 %
Outpost Security Suite Free 7.0.4.3418.520.1245.401FREE 97%
Outpost Security Suite Pro 7.5.1.3791.596.1681 97%
BitDefender Internet Security 2011 14.0.30.357 97 %
Kaspersky Internet Security 2012 12.0.0.374 93 %
Malware Defender 2.7.3.0002FREE 91%

Norton Internet Security 2012 has 20% (protection "none").

For the most updated "Proactive Security Challenge", see http://www.matousec.com/projects/proactive-security-challenge-64/results.php. This new challenge shows that apart from Comodo (94%), a secure firewall for 64-bit Windows versions does not exist.

Kind regards

#24 sark1138

sark1138

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 18 March 2012 - 02:22 AM

Thank you. This is very helpful information. I was planning on finding an alternative for Norton, and this helped me determine what anti-virus/firewall combination I will likely go with.

#25 Orfeo

Orfeo

    Member

  • Members
  • PipPip
  • 11 posts

Posted 18 March 2012 - 12:46 PM

Hallo!

When I count the lines of the pf file, the one with the syntax error is this:

block out all

So, for a test, I deleted the line, reset and reloaded the pf.conf –– and did’t receive an error message!

The message I got simply reads:

PF firewall reset, configuration reloaded from /etc/pf.con

But is this what I want? Will the firewall now block outgoing packages in case of vpn disconnection?

Thanks



Hello!

No, this is not what you want, the firewall will not block anything without that rule.

Replace it with:
<code>block out from 192.168.0.0/16 to any</code>

PF will block any outgoing packet from 192.168.*.*, except those which match the subsequent "pass out" rules.

If there are no more syntax errors, test the configuration. Activate pf. Now you should lose your Internet connectivity, except toward Lyra. Connect to Air server Lyra entry-IP (62.212.85.65), any port. The connection should succeed thanks to the relevant pass out rule. Now you should have full connectivity. Launch a bittorrent client, share some redistributable content. Let it work for some minutes. Then, disconnect from the VPN. If everything is ok, you should immediately see a total drop of outgoing packets from any application, including the bittorrent client.

Anyway, you should investigate further, because "block out all" is a perfectly legal directive on any pf version.

Kind regards




Hello!

It works! It works!
You guys did a fantastic job. Excellent support! I’m a complete vpn-novice and now I even have a firewall. Thanks a lot.

As to the error message caused by the insertion of the rule “block out any” in the pf.conf file: Could is be due to a conflict with the standard setting of IceFloor which allows access to LAN?

The new rules in the pf.conf file are represented by IceFloor in the frontend “Manage PF rules” panel in this way:

anchor "com.apple/*"
block drop out inet from 192.168.0.0/16 to any
pass out quick inet from 192.168.0.0/16 to 62.212.85.65 flags S/SA keep state
pass out quick inet from 192.168.0.0/16 to 192.168.0.0/16 flags S/SA keep state
pass out quick inet from 127.0.0.1 to any flags S/SA keep state
pass out quick inet from 10.0.0.0/8 to any flags S/SA keep state

Again, thanks a lot.

#26 Staff

Staff

    Advanced Member

  • Staff
  • PipPipPip
  • 7858 posts

Posted 18 March 2012 - 01:26 PM



Hello!

It works! It works!
You guys did a fantastic job. Excellent support! I’m a complete vpn-novice and now I even have a firewall. Thanks a lot.

As to the error message caused by the insertion of the rule “block out any” in the pf.conf file: Could is be due to a conflict with the standard setting of IceFloor which allows access to LAN?

The new rules in the pf.conf file are represented by IceFloor in the frontend “Manage PF rules” panel in this way:

anchor "com.apple/*"
block drop out inet from 192.168.0.0/16 to any
pass out quick inet from 192.168.0.0/16 to 62.212.85.65 flags S/SA keep state
pass out quick inet from 192.168.0.0/16 to 192.168.0.0/16 flags S/SA keep state
pass out quick inet from 127.0.0.1 to any flags S/SA keep state
pass out quick inet from 10.0.0.0/8 to any flags S/SA keep state

Again, thanks a lot.



Hello!

Thank you for your nice words. We're glad to know that you have managed to have a working and secure setup. If there was a conflict, the message should not have been "syntax error", but something different.

Anyway, "block out any"? The rule is "block out all".

Kind regards

#27 kingsroadberkshire

kingsroadberkshire

    Newbie

  • Members
  • Pip
  • 4 posts

Posted 27 March 2012 - 04:29 AM

Hi,

I have a Windows 7 laptop. I am using standard Windows Firewall.

I would like to know how to cut-off internet access (particularly for uTorrent and Opera internet browser) if the AirVpn connection is broken.

I am using airvpn using direct access (i.e., downloaded the air profile into openvpn folder and connected directly).

Thank you.

#28 Staff

Staff

    Advanced Member

  • Staff
  • PipPipPip
  • 7858 posts

Posted 27 March 2012 - 09:47 AM

Hi,

I have a Windows 7 laptop. I am using standard Windows Firewall.

I would like to know how to cut-off internet access (particularly for uTorrent and Opera internet browser) if the AirVpn connection is broken.

I am using airvpn using direct access (i.e., downloaded the air profile into openvpn folder and connected directly).

Thank you.



Hello!

Please see https://airvpn.org/index.php?option=com_kunena&func=view&catid=3&id=1713&Itemid=142#1715 and subsequent messages on this very same thread.

Currently Comodo Firewall is the only software firewall for 64-bit Windows systems which passes important leak tests, so it is highly recommended not to trust any other software firewall.

Kind regards

#29 kingsroadberkshire

kingsroadberkshire

    Newbie

  • Members
  • Pip
  • 4 posts

Posted 28 March 2012 - 01:25 AM

Thank you. For Comodo Firewall, is it the free version or do I need to buy the paid version?

#30 jmann9000

jmann9000

    Newbie

  • Members
  • Pip
  • 5 posts

Posted 28 March 2012 - 04:05 AM

The Free Version will work perfectly with Windows 7.

#31 ana.pofuk

ana.pofuk

    Newbie

  • Members
  • Pip
  • 6 posts

Posted 09 April 2012 - 08:19 PM

Hello
Solution with Coodo is really straightforward.
Are you maye aware of any Linux (ubuntu) solution, which can be used as Comodo on Windows?
Default gufw can not be configured that way, I haven't been able to find a proper simple solution....

Thank you

#32 Staff

Staff

    Advanced Member

  • Staff
  • PipPipPip
  • 7858 posts

Posted 09 April 2012 - 10:00 PM

Hello
Solution with Coodo is really straightforward.
Are you maye aware of any Linux (ubuntu) solution, which can be used as Comodo on Windows?
Default gufw can not be configured that way, I haven't been able to find a proper simple solution....

Thank you



EDITED ON 21 Aug 12
EDITED ON 24 Nov 12: added important note for some Linux users, see bottom of message

Hello!

You can use iptables, a very powerful packet filtering and NAT program (probably one of the most powerful, if not the most powerful of all). iptables is already included in all official Ubuntu distros and most Linux distros, anyway if you don't have it just install it with aptitude.

Adding the following simple rules will prevent leaks in case of [accidental] VPN disconnection. In this example, it is assumed that your network interface is eth+ (change it as appropriate; for example, you might have wlan0 for a WiFi connection).

a.b.c.d is the entry-IP address of the Air server you connect to. You can find out the address simply looking at the line "remote" of your air.ovpn configuration file. In case of doubts, just ask us. Some of the following rules might be redundant if you have already chains.

Assumptions: you are in a 192.168.0.0/16 network and your router is a DHCP server. You have a a physical network interface named eth*. The tun adapter is tun* and the loopback interface is lo.

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT #allow loopback access
iptables -A OUTPUT -d 255.255.255.255 -j  ACCEPT #make sure you can communicate with any DHCP server
iptables -A INPUT -s 255.255.255.255 -j ACCEPT #make sure you can communicate with any DHCP server
iptables -A INPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT #make sure that you can communicate within your own network
iptables -A OUTPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT
iptables -A FORWARD -i eth+ -o tun+ -j ACCEPT 
iptables -A FORWARD -i tun+ -o eth+ -j ACCEPT # make sure that eth+ and tun+ can communicate
iptables -t nat -A POSTROUTING -o tun+ -j MASQUERADE # in the POSTROUTING chain of the NAT table, map the tun+ interface outgoing packet IP address, cease examining rules and let the header be modified, so that we don't have to worry about ports or any other issue - please check this rule with care if you have already a NAT table in your chain
iptables -A OUTPUT -o eth+ ! -d a.b.c.d -j DROP  # if destination for outgoing packet on eth+ is NOT a.b.c.d, drop the packet, so that nothing leaks if VPN disconnects


When you add the above rules, take care about pre-existing rules, if you have already some tables, and always perform a test to verify that the subsequent behavior is what you expect: when you disconnect from the VPN, all outgoing traffic should be blocked, except for a reconnection to an Air server.

In order to block specific programs only, some more sophisticated usage of iptables is needed, and you will also need to know which ports those programs use. See "man iptables" for all the features and how to make the above rules persistent or not according to your needs.


Warning: the following applies ONLY for Linux users who don't have resolvconf installed and don't use up & down OpenVPN client scripts

In this case, your system has no way to process the DNS push from our servers. Therefore your system will just tunnel the DNS queries with destination the DNS IP address specified in the "nameserver" lines of the /etc/resolv.conf file. But if your first nameserver is your router IP, the queries will be sent to your router which in turn will send them out unencrypted. Solution is straightforward: edit the /etc/resolv.conf file and add the following line at the top (just an example, of course you can use any of your favorite DNS, as long as it is NOT your router):
nameserver 10.4.0.1 # in order to use AirVPN DNS
nameserver 8.8.8.8 # in order to use Google DNS only if AirVPN DNS is unavailable


Kind regards

#33 JamesDean

JamesDean

    Advanced Member

  • Members
  • PipPipPip
  • 75 posts

Posted 12 April 2012 - 12:27 PM

Is there any way to disable a rule in Comodo? I like being able to block on VPN drop, but sometimes I'd like to access sites using my ISP. I can't find a way, other than deleting and recreating the rule each time...which is a pain. I currently created an application rule for Firefox and tested that it works (It does). I wonder if there is a way to create 2 Global rules, and then move one abve the other when needed...does Comodo work like a traditional firewall where the allow rule above the deny rule is respected?

Thanks,

JD

Edit: I gues I could close the VPN and uncheck the Exclude box as a work around, correct?

#34 Staff

Staff

    Advanced Member

  • Staff
  • PipPipPip
  • 7858 posts

Posted 12 April 2012 - 06:09 PM

Is there any way to disable a rule in Comodo? I like being able to block on VPN drop, but sometimes I'd like to access sites using my ISP. I can't find a way, other than deleting and recreating the rule each time...which is a pain. I currently created an application rule for Firefox and tested that it works (It does). I wonder if there is a way to create 2 Global rules, and then move one abve the other when needed...does Comodo work like a traditional firewall where the allow rule above the deny rule is respected?

Thanks,

JD

Edit: I gues I could close the VPN and uncheck the Exclude box as a work around, correct?



Hello!

The "Exclude" tick might or might not work properly (it works as a NOT operator), it depends on your configuration.

Probably the most straightforward way is switching from your "Custom Policy" (when connected to the VPN) to "Safe Mode" (when you want connectivity without the VPN), because to do that you just need to right-click on the Comodo dock icon.

Kind regards

#35 JamesDean

JamesDean

    Advanced Member

  • Members
  • PipPipPip
  • 75 posts

Posted 12 April 2012 - 07:53 PM

Thanks. The Exclude switch works. When unchecked, it will block the VPN and allow anything else. Since the VPN is shut down, it doesn't matter. Pretty decent work around.

JD

#36 ana.pofuk

ana.pofuk

    Newbie

  • Members
  • Pip
  • 6 posts

Posted 15 April 2012 - 07:27 AM


a.b.c.d is the entry-IP address of the Air server you connect to. You can find out the address simply looking at the line "remote" of your air.ovpn configuration file. Some of the following rules might be redundant if you have already chains.

<code>iptables -I FORWARD -i eth+ -o tun+ -j ACCEPT
iptables -I FORWARD -i tun+ -o eth+ -j ACCEPT # make sure that eth+ and tun+ can "communicate"
iptables -I INPUT -i tun+ -j REJECT
iptables -t nat -A POSTROUTING -o tun+ -j MASQUERADE # in the POSTROUTING chain of the NAT table, map the tun+ interface outgoing packet IP address, cease examining rules and let the header be modified, so that we don't have to worry about ports or any other issue - please check this rule with care if you have already a NAT table in your chain
iptables -I OUTPUT -o eth+ ! --dst a.b.c.d -j DROP # if destination for outgoing packet on eth+ is NOT a.b.c.d, drop the packet, so that nothing leaks if VPN disconnects
# the above line can be duplicated for as many Air servers as you wish to connect to, just insert the appropriate Air server entry-IP
</code>


Kind regards



hi
i've tried this approach, but it didn't work with me, it seems it blocked all traffic. it was a good start, i did some research, it seems tun interface is the one communicating with the VPN server, so I did this:

iptables -A OUTPUT -o tun0 -j ACCEPT
iptables -A OUTPUT -d a.b.c.d -j ACCEPT
iptables -A OUTPUT -j DROP

didn't check completely, but it seems to be working

#37 jessez

jessez

    Advanced Member

  • Members
  • PipPipPip
  • 78 posts

Posted 06 June 2012 - 02:23 AM

Thanks to the airvpn techs and Orfeo for the work with the pf firewall. What a nightmare I've had trying to get it working right! I don't want the Apple anchor and do want dns through privacyfoundation.de, so this is my working pf.conf for anyone else to use. It has all the Gb servers except the one in the UK. Also with pf.conf on the mac, the last line needs to have a return, so when the cursor is on the last line, you should be able to use the right or down arrows and the cursor drop one line down only. Anymore than that backspace it out.
Using this in terminal will show exactly what the rules are that will load and point out any errors:

sudo pfctl -vvv -f /etc/pf.conf

for some reason you still have to do: sudo pfctl -e
to start the firewall.

Best regards to all,
jz


# pf.conf
# Drop everything that doesn't match a rule
block drop out inet from 192.168.0.0/16 to any
# Swiss DNS
pass out quick inet from 192.168.0.0/16 to 87.118.104.203 flags S/SA keep state
pass out quick inet from 192.168.0.0/16 to 87.118.109.2 flags S/SA keep state
# Airvpn; Tauri, Castor, Draconis, Sirius, Vega
pass out quick inet from 192.168.0.0/16 to 46.165.208.65 flags S/SA keep state
pass out quick inet from 192.168.0.0/16 to 95.211.169.3 flags S/SA keep state
pass out quick inet from 192.168.0.0/16 to 178.248.29.132 flags S/SA keep state
pass out quick inet from 192.168.0.0/16 to 108.59.8.147 flags S/SA keep state
pass out quick inet from 192.168.0.0/16 to 69.163.36.66 flags S/SA keep state
# Local network
pass out quick inet from 192.168.0.0/16 to 192.168.0.0/16 flags S/SA keep state
# Allow all on lo0
pass out quick inet from 127.0.0.1 to any flags S/SA keep state
# Everything tunneled
pass out quick inet from 10.0.0.0/8 to any flags S/SA keep state

Modified by jz
Here is modifications to pf.conf:
https://airvpn.org/index.php?option=com_kunena&func=view&catid=3&id=2935&Itemid=142#2935



#38 slackerofthemind

slackerofthemind

    Newbie

  • Members
  • Pip
  • 8 posts

Posted 19 June 2012 - 10:34 PM

Thanks to everyone who has contributed here.

Have any Mac users managed to set-up Waterroof rules (for 10.6.8)?

If so, would you be willing to export & share these?

#39 galilao

galilao

    Advanced Member

  • Members
  • PipPipPip
  • 47 posts

Posted 25 June 2012 - 08:35 AM

Hello, I launched Waterroof, but how do I key in these commands? Thank you

#40 jessez

jessez

    Advanced Member

  • Members
  • PipPipPip
  • 78 posts

Posted 25 June 2012 - 03:45 PM

Hi,
There aren't any rules in this article for ipfw ( WaterRoof being a front-end for ipfw ). The ones above ( and the others that mention pf ) are for the pf firewall; only available in Mac Lion, BSD, and some other UNIX variants. iptables is only used in Linux anymore as far as I know.
What operating system are you using?
If necessary I could set up some rules for ipfw if slackerofthemind and/or galilao are willing to test them.
Best
jz




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Servers online. Online Sessions: 14519 - BW: 45185 Mbit/sYour IP: 34.204.52.4Guest Access.