Creating a FW rule to prevent leaks on VPN drop

Discussion in 'privacy technology' started by luciddream, Oct 15, 2011.

Thread Status:
Not open for further replies.
  1. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,497
    So to make a long story short... can anybody conjure up an effective rule to accomplish this task (disconnect your internet connection if/when your VPN connection drops) in Comodo Firewall? And please be descriptive and show exactly how & where to place these rules.

    This would be a HUGE assist to a lot of people, as I've yet to find any 3'rd party app that does this reliably. I know of 2 VPN's that have it built into their client, but I'm not sure how well it works.
     
    Last edited: Oct 15, 2011
  2. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    There was a post about fixing the dropping issue, not sure if it was Linux centric or not.
     
  3. CasperFace

    CasperFace Registered Member

    Joined:
    Jul 31, 2010
    Posts:
    200
    Here's a repost of my original suggestion:
    Perhaps I should have mentioned that this should be in your Application rules. You need to add or edit the rules for each specific application that you want to lock down against VPN connection-drop leaks. Assuming you're using Comodo to make firewall rules for "safe" applications that require access to the internet anyway, then it should be fairly simple to incorporate the rules I suggested above. Just make sure you have a defined Network Zone for your VPN that is distinct from your LAN (as defined in Firewall | Network Security Policy | Network Zones). Here are some suggestions for application-specific rules:

    C:\Program Files\uTorrent\uTorrent.exe
    • Allow IP In/Out From In [Virtual Private Network] To MAC Any Where Source Port Is Any And Destination Port Is Any
    • Block and Log IP In/Out From [Local Area Network] To MAC Any Where Source Port Is Any And Destination Port Is Any

    C:\Program Files\Mozilla Firefox\firefox.exe
    • Allow TCP Out From MAC Any To IP 127.0.0.1 Where Source Port Is Any And Destination Port Is Any
    • Allow TCP Out From In [Virtual Private Network] To MAC Any Where Source Port Is Any And Destination Port Is Any
    • Block and Log IP In/Out From [Local Area Network] To MAC Any Where Source Port Is Any And Destination Port Is Any

    C:\Program Files\Mozilla Firefox\plugin-container.exe
    • Allow TCP Out From In [Virtual Private Network] To MAC Any Where Source Port Is Any And Destination Port Is Any
    • Block and Log IP In/Out From [Local Area Network] To MAC Any Where Source Port Is Any And Destination Port Is Any

    That should do it. Or, if you don't like my idea, here's another suggestion that I got from the BolehVPN support forums: http://www.bolehvpn.net/forum/index.php/topic,5798.msg32701.html. It's a little different than my setup, but basically it's the same principle involved. Also, note that the instructions were written for BolehVPN users, but the wording can easily be tweaked to work with any VPN of your choosing.

    :thumb:
     
  4. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    Trying to secure VPN tunnels (or Tor etc) on general use computers is like putting lipstick on pigs. Even if you manage that, there are so many other ways to fail (cookies, logs, swapfiles, etc). Instead, use virtualization (say, VirtualBox on Linux or Mac, or VMware on Windows). Instead of depending on software firewall rules, you can use virtual firewalls (say, pfSense for VPNs, and OpenWRT for Tor) and virtual networks. Have several virtual machines, one for each sort of activity or interest. It's easy and fun.
     
  5. CasperFace

    CasperFace Registered Member

    Joined:
    Jul 31, 2010
    Posts:
    200
    Well, sure... but now you're talking about a different issue entirely, i.e., forensic artifacts on the physical disk. I think the OP here was just looking for a simple solution to preventing his torrent program from IP leaks if the VPN connection drops... and in my personal experience, using the aforementioned software-based firewall rules have been 100% effective in accomplishing just that. For the record, I also recommend using virtual machines in a manner similar to that which you just described, but--understandably--that sort of solution might not necessarily be practical (or enjoyable) for everyone else's circumstances.
     
  6. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,497
    Thank you so much Casper! :thumb: This was a HUGE assist. I owe you a beer man, works like a charm. My rule sets for UTorrent & my browsers are much tighter, but I incorporated your idea into them. Just opened a session with UTorrent then disconnected my VPN... it stopped it dead in it's tracks.

    I set up a network zone for my VPN. I notice it always uses the same 3-4 IP addresses between 10.x.x.1 - 10.x.x.30, so I added them, + subnet masks. Here is my UTorrent rule set:

    1. DNS Service - Allow UDP Out, Source Add. - Network Zone (VPN), Dest. Add. - Any, Source Port - Any, Dest. Port - 53

    2. Multicast - Allow UDP Out, Source Add. - Network Zone (VPN), Dest. Add. - Range 239.0.0.0 - 239.255.255.255, Source Port - Any, Dest. Port - 6771

    3. Ephermal Ports [IN] (UDP) - Allow UDP In, Source Add. - Any, Dest. Add. - Network Zone (VPN), Source Port - Any, Dest. Port - Range 1024-5000

    4. Ephermal Ports [OUT] (TCP/UDP) - Allow TCP/UDP Out, Source Add. - Network Zone (VPN), Dest. Add. - Any, Source Port - Range 1024-5000, Dest. Port - Any

    5. Port [IN] (TCP/UDP) - Allow TCP/UDP In, Source Add. - Any, Dest. Add. - Network Zone (VPN), Source Port - Any, Dest. Port - 60392*

    6. Port [OUT] (UDP) - Allow UDP Out, Source Add. - Network Zone (VPN), Dest. Add. - Any, Source Port - 60392*, Dest. Port - Any

    7. Block Rule - Block IP In/Out, Source Add. - Network Zone (LAN), Dest. Add. - Any, IP Details - Any

    * = pick any port between 49152 & 65535. Use this same port in your UTorrent settings of course. I personally change this port every time I open a new session.

    For my browsers I incorporated my VPN Network Zone into the predefined rules then used the "Web Browser" rule for them. I have plugin-container blocked, and everything works just fine without it.

    Awesome stuff Casper! Thanks again mate.
     
    Last edited: Oct 16, 2011
  7. CasperFace

    CasperFace Registered Member

    Joined:
    Jul 31, 2010
    Posts:
    200
    No Problem, luciddream. Glad I could help. :)

    Your rule for 'DNS Service' is a great example of zone-specific firewall rules--you definitely got the hang of it. Mine looks something like this:

    C:\Windows\system32\svchost.exe
    • Allow UDP Out From In [VPN Zone] To IP [DNS Address #1] Where Source Port Is Any And Destination Port Is 53
    • Allow UDP Out From In [VPN Zone] To IP [DNS Address #2] Where Source Port Is Any And Destination Port Is 53
    • Block And Log UDP Out From In [Local Area Network] To MAC Any Where Source Port Is Any And Destination Port Is 53
    • Additional rule(s) pertaining to DHCP, networking, Windows time server, etc.

    I can confirm that this works flawlessly for preventing DNS leaks while using VPN. As I've discussed in previous topics, I don't necessarily consider the threat of 'DNS leaks' to be a major security concern... but given the simplicity of locking down this behavior via firewall rules, might as well just go ahead and do it--just to be on the safe side.

    I do this as well (i.e., randomize the port number on application start-up). I know that some VPN providers assign static port numbers to clients for port forwarding, but it's generally not recommended to use such fixed ports unless absolutely necessary. Otherwise, a determined adversary could successfully target you if the port is associated with a specific client/user ID of the VPN service. It's much safer to use an arbitrary, unassociated port number--as you mentioned. The only downside is that you can't 'seed' torrents to non-peers, nor run a server that expects incoming connections, etc.
     
    Last edited: Oct 16, 2011
  8. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,497
    I forgot to mention that that's just my rule set for UTorrent. My DNS rules are just like yours. I have one for my VPN DNS servers as well (10.x.x.x), and a rule for DHCP (Source Port - 68, Dest. Port - 67). Besides that, same thing you have.

    I'm also using a tool that flushes the DNS cache on VPN connect, so this vector is double-sealed now.

    Feel safer already. Thanks again.
     
Loading...
Thread Status:
Not open for further replies.