Jump to content


Photo

Windows & Comodo - Prevent leaks

Windows Comodo firewall leaks

  • This topic is locked This topic is locked
1 reply to this topic

#1 Staff

Staff

    Advanced Member

  • Staff
  • PipPipPip
  • 7022 posts

Posted 15 August 2012 - 12:45 PM

Hello!

Previous thread on Windows and Comodo to prevent DNS leaks and leaks in case of unexpected VPN disconnection have become very big and detailed. We invite you to consult those threads for details and support, while we publish this message as a quick, clarifying overview of the essential steps.

Please note that if you don't use Windows you don't need to read this post. If you use Windows and a firewall other than Comodo, you can anyway take these rules as an example and adapt them to your firewall.

This is a minimal set of instructions to prevent any leak in case of unexpected VPN disconnection and prevent, in any case, DNS leaks, on Windows system with Comodo firewall. Comodo firewall is currently the only firewall we recommend for Windows. The free version is just fine for our purposes.

Never rename the rules: in case you need support, we need to see what the rules really state.

1) If you're not familiar with a firewall, read Comodo Firewall manual or guides. In particular, please see the following:

https://help.comodo.com/topic-72-1-451-4773-global-rules.html
https://help.comodo.com/topic-72-1-451-4884-Network-Zones.html

2) Install Comodo Personal Firewall free version available here: https://personalfirewall.comodo.com/

3) Set the Firewall Security Level to "Custom Policy"

 

Comodo Firewall v6 AirVPN Settings - Firewall Settings.png

4) Determine or create the Network Zone of your TAP-Win32 network adapter (from now on "AirVPN"). A safe way to define it: IP Range [10.4.0.0 - 10.9.255.255]

 

Comodo Firewall v6 AirVPN Settings - Network Zones.png

 

Add and authorize similar zones with ranges:

[10.30.0.0 - 10.30.255.255]

[10.50.0.0 - 10.50.255.255]

if you need OpenVPN over SSH/SSL and other alternative connection modes, see also https://airvpn.org/specs

 

5) Determine the entry-IP addresses of the AirVPN server(s) you wish to connect to: https://airvpn.org/topic/14378-how-can-i-get-vpn-servers-entry-ip-addresses

6) Define a "Global Rule" which blocks everything:
Block And Log IP In/Out From MAC Any To MAC Any Where Protocol Is Any
The logging is important for troubleshooting if necessary.

7) Put the above Global Rule in the top position. This will block completely your connectivity and let you add a whitelist of Allow global rules put BEFORE this total block global rule. All the "Allow" rules that you want to be evaluated shall be put BEFORE (i.e. higher than) the above block rule.

8) Define a"Global" rule which allows in/out communications of your TAP-Win32 adapter ("AirVPN") both In and Out:
Allow IP In/Out From In [AirVPN] To MAC Any Where Protocol Is Any
Allow IP In/Out From MAC Any To In [AirVPN] Where Protocol Is Any

9) Do the same for your loopback zone (IP range 127.0.0.1 - 127.255.255.254)
Allow IP In/Out From In [Loopback Zone] to MAC Any Where Protocol Is Any
Allow IP In/Out From MAC Any To In [Loopback Zone] Where Protocol Is Any

10) Do the same for any entry-IP address of the VPN servers you wish to connect to. For example for Leporis:
Allow TCP or UDP In/Out From IP 95.211.191.33 To MAC Any Where Source Port Is Any And Destination Port Is Any
Allow TCP or UDP In/Out From MAC Any To IP 95.211.191.33 Where Source Port Is Any And Destination Port Is Any

For your comfort, you might define a Network Zone (for example [Air servers entry IPs]) containing only the entry-IP addresses of our servers and then set two rules like
Allow TCP or UDP In/Out From In [Air servers entry IPs] To MAC Any Where Source Port Is Any And Destination Port Is Any
Allow TCP or UDP In/Out From MAC Any To In [Air servers entry IPs] Where Source Port Is Any And Destination Port Is Any

In this way, you will only need to add a single IPv4 address to that Network Zone in order to connect to a new server, instead of defining two additional rules for each server, which may be annoying if you switch between a lot of servers.

11) Add similar rules to allow communications of your device with your router (and within your home/office network, if you wish so). For example, if your network is [192.168.0.0 / 255.255.0.0] define a network zone with IP Range [192.168.0.0 - 192.168.255.255] (let's call it "Home Network") and set the following rules:
Allow TCP In/Out From In [Home Network] To In [Home Network] Where Source Port Is Any And Destination Port Is Any
Allow UDP In/Out From In [Home Network] To In [Home Network] Where Source Port Is Any And Destination Port Is Not 53
Allow ICMP In/Out From In [Home Network] To In [Home Network] Where ICMP Message Is Any

11a) Allow DHCP "negotiation":
Allow IP In/Out From MAC Any To IP 255.255.255.255 Where Protocol Is Any

 

Comodo Firewall v6 AirVPN Settings - Global Rules.png

12) In order to allow "airvpn.org" resolution even when disconnected (and any other hostname you wish to be resolved even when VPN is disconnected), add to your hosts file the line:
95.211.138.143 airvpn.org

Do not forget about this change! If we change our main frontend IP address, you will not be able to reach airvpn.org anymore until you remove that line. No more necessary starting with Air client edition 2 "Eddie".


13) If you use the Air client, add rules to allow communications with IP addresses 5.196.64.52 and  95.211.138.143 (two of our frontend servers), In and Out
Allow TCP or UDP In/Out From IP 5.196.64.52 To MAC Any Where Source Port Is Any And Destination Port Is Any
Allow TCP or UDP In/Out From MAC Any To IP 5.196.64.52 Where Source Port Is Any And Destination Port Is Any

Allow TCP or UDP In/Out From IP 95.211.138.143 To MAC Any Where Source Port Is Any And Destination Port Is Any

Allow TCP or UDP In/Out From MAC Any To IP 95.211.138.143 Where Source Port Is Any And Destination Port Is Any

14) You can progressively enlarge your whitelist just by adding "Allow" rules before the total blocking rule of point 6) according to your system needs.

Keep in mind that there are literally dozens of ways to accomplish the same task with Comodo.

Pay attention not to confuse the "-" symbol, which stands for "IP range", with the "/" symbol, which stands for IP address / NetMask. For example, [10.4.0.0 - 10.9.255.255] is correct (the IP range from 10.4.0.0 to 10.9.255.255), while [10.4.0.0 / 10.9.255.255] is NOT correct (IP 10.4.0.0 NetMask 10.9.255.255, which covers almost every existing IP address!).

When you have defined all the rules, do not forget to click "Apply" and "OK" in order to store them and make them active for any new connection. Test everything and do not be afraid to experiment before you rely on the secured connection for sensitive data transmissions.

Kind regards



#2 Staff

Staff

    Advanced Member

  • Staff
  • PipPipPip
  • 7022 posts

Posted 21 August 2012 - 10:16 AM

Hello!

If you have any problem, please submit a help request with the "Contact us" form, attaching the following data:

- your network zones
- your global rules
- your application rules
- Comodo Firewall events logs
- your client logs

Kind regards





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Servers online. Online Sessions: 15493 - BW: 49301 Mbit/sYour IP: 54.234.65.78Guest Access.