http://support.emsisoft.com/topic/12460-online-armor-and-vpn/ Please tell me that I'm having a serious misunderstanding regarding this piece of information. EDIT: It's been a long time since I tried OAP and I have used up my whole trial period, so clearly I don't remember about it at all and I'm unable to check it myself. We really can't use it as a killswitch? What the hell on earth?
This is basically the same arrangement I've described for forcing a browser through a local filtering proxy. All that's required are 2 rules. What is necessary is that the firewall allows you to be specific with these rules. You have to be able to specify the IP (including localhost), the protocol, and port number for specific applications. The first rule allows the specific connection that you want to use. The 2nd rule blocks everything else. If a firewall isn't able or doesn't allow you to be specific regarding the traffic you want allowed, it isn't capable of preventing leaks and bypasses and should not be trusted for that purpose. I can't comment specifically on OA but it is a trend with most security suites. They focus on the HIPS components and features while the basic firewall component gets neglected or weakened.
It's been almost three years since I've used OAP and I used it since early the Tall Emu days. Anyhow, there's nothing in these setups that would allow to configure that VPN-only environment? http://help.emsisoft.com/oa/Firewall.shtml http://help.emsisoft.com/oa/FWCRules.shtml It might be possible to engage in speech again. I wonder which competitor's firewall was recommended to skypilotpete by the VPN provider. And "Our main Online Armor developer ... is fairly certain that what you want to do isn't possible in Online Armor." Fairly certain? From the main developer?? Now that is speechless. Cheers.
If those screenshots are complete, I don't see anywhere the user can restrict the traffic to a specific IP or IP range, or any way to allow, block, or restrict traffic to loopback/localhost IPs. Without that ability, it is not capable of preventing the bypassing of a proxy or VPN and won't prevent leakage around it. Regarding his "fairly certain" statement, it appears that he's neglected or totally forgotten what the primary purpose of an internet firewall is, namely to control traffic.
If you can't set up the rules none_particular spoke about, use an other firewall (eg comodo, or even seven's firewall), or use the route method to block all traffic in case your vpn connection drops.
You're right, you don't. The "Firewall rule editor" shown is I'm sure for the free version, standard mode. Why they're not showing the premium advanced mode is anyones guess. Mine is, "That's typical Emsisoft." I googled about for a screen shot to no avail. And any links to pdf docs over at Emsisoft have long been dropped from the site. There are fields to enter IP ranges either by entering full address ranges or by CIDRs. I know as I had several in the ~100 rules I had. Here's one I built for the primary and secondary DNS servers, pulled from a shot I took from the logs screen for some reason or another. And just one of several rules I had for svchost. In the firewall options http://help.emsisoft.com/oa/Options.shtml there's an "intercept loopback interface" option. Once enabled, rules could be created. I had connectivity to 127.0.0.1 down real tight. OAP is one of the most granular firewalls I've ever worked with outside of the enterprise with one of the most convenient and logical GUIs. Nothing I hadn't allowed connected out without a pop-up. I'd still be using it were it not for the stupid changes they made to the Domains control. But that's going off-topic. Cheers.
That's the main reason that I've stayed with Kerio 2.1.5 and opted for a separate, freestanding HIPS. You can create tight rules directly from the alerts and you don't have to deal with hard coded rules. It's a shame that no one makes anything quite like it for the newer versions of Windows.
Oh yes, I forgot that there's the "Restrictions Tab" to configure connections by the IP addresses/IP range and countries. Thanks for the references. Now this is amusing, why did the developer say otherwise? It must be CIS. Many VPN service providers tend to recommend it.
Comodo FW is ideal for handling this sort of thing. I create a VPN Zone under "Network Zones" and interchange it and my regular LAN Zone whenever switching back and forth. And always have block rules underneath the allow rules to block DNS/other leaks, no matter which state I'm in. It's that easy. The FW & HIPS components are both very strong, and granular. It seems the main reason most people hate on it are for personal reasons. But judging by it's quality as a product alone it's tough to beat. Especially v5.10 (or 5.12 if you use Web scanning with an AV).
Kerio/Sunblet. And PC Tools FW+ Free Edition. Quite familiar with those - used 'em over the years on systems I didn't want to spend $$ for OAP. And one or two others I can't recall due to run-down cerebral ion pumps. Dismissing the version 5, 6, 7 and 8 discussions, Comodo is excellent but while the HIPS, BB and sandboxing can be disabled, it's really just "disabled." Would there be a way but to de-select those during install, not. But now for the firewall I've accepted Ad-Aware Pro with Bitdefender's firewall and network intrusion prevention. Allowed apps go out to "anything anywhere" but I've set to alert allow/deny if something new tries to go out. And there's some decent LAN configuration which is lacking in some current suites' firewalls. For me, the days of allow/deny/build/session-only pop-ups and for port 53 or 127.0.0.1 out to some unresolvable IP or anything other than TCP 80 & 443 out are over. Where once I considered that layer to be a primary defense, I now trust Ad-Aware's Lavasoft engines and their excellent use of Bitdefender's SDK (sigs, B-Have, AVC, URL filtering, anti-phishing, anti-spam, firewall). That with MBAM Premium and Zemana Pro. Oh well...
