Prevent leaks with Ubuntu Linux & gufw/ufw (thanks to worric)

[worric 12]

Personally I'm using gufw for linux, and it works very well.

However, it's important to remember that gufw is just a graphical frontend for ufw, and ufw, in turn, is just a friendlier system for manipulating IPTABLES (which is again a system for manipulating netfilter directly in the running kernel).

Gufw is perhaps over simplified, which is why I find it not really that great for anything else than providing an overview of your rules and turning the firewall on an off.

With regards to firestarter, I have tried it once, but I didn't really have any good experience with it, since, as you guys have already posted, it seems rather poorly coded and does some odd things when manipulating IPTABLES.

What I found invaluable about ufw is its ability to specify rules based on interface and its simplictity even though its quite powerful. This was my main motivation for using it over other solutions like Firestarter, and Shorewall was too complicated for my taste.

My rule approach goes like this:

Allow connections OUT to AirVPN servers I use the most (for connecting/reconnecting to the AirVPN service, entry IP's, marked RED on the screenshot)

Allow connections OUT FROM the tun0 interface TO anywhere (when I'm connected, this is the interface used to communicate to the Internet, marked GREEN on the screenshot)

Allow connections (UDP/TCP) IN TO the tun0 interface to a specific port (to enable AirVPN's port forwarding feature, marked BLUE on the screeshot)

Allow connections IN FROM the 192.168.1.0/24 network TO the eth0 interface (enable home networking. Notice how it's on a different interface, YELLOW)

Allow connections OUT FROM the eth0 interface TO the 192.168.1.0/24 network (enable home networking, also on the eth0 interface, YELLOW)

Block ALL other traffic (by choosing DENY/DENY in gufw)

When the VPN drops (and the tun0 interface is disabled), the only connections allowed OUT from the computer are to the AirVPN server IP's (to reconnect) and the local 192.168.1.0/24 network (to still function in the LAN). And the only connections allowed TO the computer are from the local network as well. No leaks.

Now, the gufw GUI doesn't allow for specifying the interface (remember, it's over simplified), so to do that, it's necessary to use ufw directly. Gufw can, however, display the rules when created by ufw.

For example:

"sudo allow out on tun0 from any to any" - is quite straightforward, and of course creates the rule that allows for communication TO the Internet when connected to AirVPN.

"sudo allow in on tun0 from any to any port xxxxx" - enables the port forwarding feature by allowing packets to the specified port on the tun0 interface to pass through.

Tips:

- the order of the rules is very important - mimic mine on the screenshot attached

- to add rules in a specific order from the command line, use "insert x": "sudo insert 3 allow in on tun0 from any to any port xxxxx" - inserts the rule at the 3rd position and moves rules below it downward, includin the previous rule nr 3.

- when adding rules via the commandline, press F5 in gufw to force a refresh and view the newly added rule

- the UFW manual is well worth reading, although you may not need any more information than offered in this post

- with this approach, you're blocking multicasting addresses possibly forwarded by your router. Just a thing to have in mind in case you need it; it is of couse easily remedied by creating a new rule allowing the address(es).

Let me know how this works for ya

[Terry Stanford 11]

Great post, shame I can't see the screenshot you refer to!!

[catsarecool 0]

4 hours ago, Terry Stanford said:

Great post, shame I can't see the screenshot you refer to!!

[ndsc 0]

for ufw. add rules for your lan as needed

# allows a connection out to your server
ufw allow out to [airvpn server ip] port [port] proto [protocol]

# allows traffic on your vpn interface
ufw allow out on [vpn interface]

# drops everything else going out
ufw default deny outgoing

# if you use networkmanager, this keeps the vpn up on disconnect
nmcli connection modify [vpn name] vpn.persistent yes

# should DHCPDISCOVER start complaining
ufw allow out 67

Edited ... by ndsc

[Terry Stanford 11]

Don't suppose you know how to achieve this on MacOSX?

[lucky0 2]

To do the same on macOS you have to generate PF rules and load them. Depends on your tech skills, you can read PF rules from Eddie source code, write it to the file, do small changes and load them via /sbin/pfctl. You can read about how to use pfctl command by running in your terminal:

man pfctl

You can use AirVPN console client named hummingbird which can do network lock too.
Another option is to use third party tools to archive the same goal. For example you can use killswitch or netlock tools which will generate PF rules for you.
If you use third party VPN client, like Viscosity or Tunnelblick you have to think about DNS leaks on reconnect. Using configs with server names instead of ips requires to resolve dns name on connection. To mitigate this you can use special dns server to resolve airdns domains. This can be done using dnscrypt-proxy or dnsmasq. Edited ... by lucky0
add some links

[Terry Stanford 11]

Thanks, I have network lock in Eddie. I am looking for a way to block all connections when Eddie is not running, such as during login.

[lucky0 2]

You have to use macOS launch init system. It is an example of macOS loading default PF rules at startup.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>Disabled</key>
	<false/>
	<key>Label</key>
	<string>com.apple.pfctl</string>
	<key>WorkingDirectory</key>
	<string>/var/run</string>
	<key>Program</key>
	<string>/sbin/pfctl</string>
	<key>ProgramArguments</key>
	<array>
		<string>pfctl</string>
		<string>-f</string>
		<string>/etc/pf.conf</string>
	</array>
	<key>RunAtLoad</key>
	<true/>
</dict>
</plist>

Modify this file to load your network lock rules. Than you have to move it in terminal:

sudo cp ~/me.admin.netlock.plist /Library/LaunchDaemons/

And load it:

sudo launchctl load /Library/LaunchDaemons/me.admin.netlock.plist

This file will be parsed during startup and program with arguments will be executed.

[ScarletEmerald 0]

I replaced

# allows a connection out to your server
ufw allow out to [airvpn server ip] port [port] proto [protocol]

with

# allows a connection out to your server
ufw allow out to port [port] proto [protocol]

In my case, [port] is 443 and [proto] is udp.  This allows me to connect to any AirVPN server without adding new ufw rules.  The only downside is a slight chance of leak to some non-AirVPN server on 443/udp, if the VPN connection drops while some application is trying to hit that for some reason.