Creating a FW rule to prevent leaks on VPN drop

So to make a long story short... can anybody conjure up an effective rule to accomplish this task (disconnect your internet connection if/when your VPN connection drops) in Comodo Firewall? And please be descriptive and show exactly how & where to place these rules.

This would be a HUGE assist to a lot of people, as I've yet to find any 3'rd party app that does this reliably. I know of 2 VPN's that have it built into their client, but I'm not sure how well it works.

 

There was a post about fixing the dropping issue, not sure if it was Linux centric or not.

 

Here's a repost of my original suggestion:

Perhaps I should have mentioned that this should be in your Application rules. You need to add or edit the rules for each specific application that you want to lock down against VPN connection-drop leaks. Assuming you're using Comodo to make firewall rules for "safe" applications that require access to the internet anyway, then it should be fairly simple to incorporate the rules I suggested above. Just make sure you have a defined Network Zone for your VPN that is distinct from your LAN (as defined in Firewall | Network Security Policy | Network Zones). Here are some suggestions for application-specific rules:

C:\Program Files\uTorrent\uTorrent.exe

• Allow IP In/Out From In [Virtual Private Network] To MAC Any Where Source Port Is Any And Destination Port Is Any
• Block and Log IP In/Out From [Local Area Network] To MAC Any Where Source Port Is Any And Destination Port Is Any

C:\Program Files\Mozilla Firefox\firefox.exe

• Allow TCP Out From MAC Any To IP 127.0.0.1 Where Source Port Is Any And Destination Port Is Any
• Allow TCP Out From In [Virtual Private Network] To MAC Any Where Source Port Is Any And Destination Port Is Any
• Block and Log IP In/Out From [Local Area Network] To MAC Any Where Source Port Is Any And Destination Port Is Any

C:\Program Files\Mozilla Firefox\plugin-container.exe

• Allow TCP Out From In [Virtual Private Network] To MAC Any Where Source Port Is Any And Destination Port Is Any
• Block and Log IP In/Out From [Local Area Network] To MAC Any Where Source Port Is Any And Destination Port Is Any

That should do it. Or, if you don't like my idea, here's another suggestion that I got from the BolehVPN support forums: http://www.bolehvpn.net/forum/index.php/topic,5798.msg32701.html. It's a little different than my setup, but basically it's the same principle involved. Also, note that the instructions were written for BolehVPN users, but the wording can easily be tweaked to work with any VPN of your choosing.

 

Trying to secure VPN tunnels (or Tor etc) on general use computers is like putting lipstick on pigs. Even if you manage that, there are so many other ways to fail (cookies, logs, swapfiles, etc). Instead, use virtualization (say, VirtualBox on Linux or Mac, or VMware on Windows). Instead of depending on software firewall rules, you can use virtual firewalls (say, pfSense for VPNs, and OpenWRT for Tor) and virtual networks. Have several virtual machines, one for each sort of activity or interest. It's easy and fun.

 

Well, sure... but now you're talking about a different issue entirely, i.e., forensic artifacts on the physical disk. I think the OP here was just looking for a simple solution to preventing his torrent program from IP leaks if the VPN connection drops... and in my personal experience, using the aforementioned software-based firewall rules have been 100% effective in accomplishing just that. For the record, I also recommend using virtual machines in a manner similar to that which you just described, but--understandably--that sort of solution might not necessarily be practical (or enjoyable) for everyone else's circumstances.

 

Thank you so much Casper! This was a HUGE assist. I owe you a beer man, works like a charm. My rule sets for UTorrent & my browsers are much tighter, but I incorporated your idea into them. Just opened a session with UTorrent then disconnected my VPN... it stopped it dead in it's tracks.

I set up a network zone for my VPN. I notice it always uses the same 3-4 IP addresses between 10.x.x.1 - 10.x.x.30, so I added them, + subnet masks. Here is my UTorrent rule set:

1. DNS Service - Allow UDP Out, Source Add. - Network Zone (VPN), Dest. Add. - Any, Source Port - Any, Dest. Port - 53

2. Multicast - Allow UDP Out, Source Add. - Network Zone (VPN), Dest. Add. - Range 239.0.0.0 - 239.255.255.255, Source Port - Any, Dest. Port - 6771

3. Ephermal Ports [IN] (UDP) - Allow UDP In, Source Add. - Any, Dest. Add. - Network Zone (VPN), Source Port - Any, Dest. Port - Range 1024-5000

4. Ephermal Ports [OUT] (TCP/UDP) - Allow TCP/UDP Out, Source Add. - Network Zone (VPN), Dest. Add. - Any, Source Port - Range 1024-5000, Dest. Port - Any

5. Port [IN] (TCP/UDP) - Allow TCP/UDP In, Source Add. - Any, Dest. Add. - Network Zone (VPN), Source Port - Any, Dest. Port - 60392*

6. Port [OUT] (UDP) - Allow UDP Out, Source Add. - Network Zone (VPN), Dest. Add. - Any, Source Port - 60392*, Dest. Port - Any

7. Block Rule - Block IP In/Out, Source Add. - Network Zone (LAN), Dest. Add. - Any, IP Details - Any

* = pick any port between 49152 & 65535. Use this same port in your UTorrent settings of course. I personally change this port every time I open a new session.

For my browsers I incorporated my VPN Network Zone into the predefined rules then used the "Web Browser" rule for them. I have plugin-container blocked, and everything works just fine without it.

Awesome stuff Casper! Thanks again mate.

 

No Problem, luciddream. Glad I could help.

Your rule for 'DNS Service' is a great example of zone-specific firewall rules--you definitely got the hang of it. Mine looks something like this:

C:\Windows\system32\svchost.exe

• Allow UDP Out From In [VPN Zone] To IP [DNS Address #1] Where Source Port Is Any And Destination Port Is 53
• Allow UDP Out From In [VPN Zone] To IP [DNS Address #2] Where Source Port Is Any And Destination Port Is 53
• Block And Log UDP Out From In [Local Area Network] To MAC Any Where Source Port Is Any And Destination Port Is 53
• Additional rule(s) pertaining to DHCP, networking, Windows time server, etc.

I can confirm that this works flawlessly for preventing DNS leaks while using VPN. As I've discussed in previous topics, I don't necessarily consider the threat of 'DNS leaks' to be a major security concern... but given the simplicity of locking down this behavior via firewall rules, might as well just go ahead and do it--just to be on the safe side.

I do this as well (i.e., randomize the port number on application start-up). I know that some VPN providers assign static port numbers to clients for port forwarding, but it's generally not recommended to use such fixed ports unless absolutely necessary. Otherwise, a determined adversary could successfully target you if the port is associated with a specific client/user ID of the VPN service. It's much safer to use an arbitrary, unassociated port number--as you mentioned. The only downside is that you can't 'seed' torrents to non-peers, nor run a server that expects incoming connections, etc.

 

I forgot to mention that that's just my rule set for UTorrent. My DNS rules are just like yours. I have one for my VPN DNS servers as well (10.x.x.x), and a rule for DHCP (Source Port - 68, Dest. Port - 67). Besides that, same thing you have.

I'm also using a tool that flushes the DNS cache on VPN connect, so this vector is double-sealed now.

Feel safer already. Thanks again.