Author Topic: Allow connection only through VPN with Comodo Firewall - how?  (Read 24225 times)

Offline archangel_1

  • Newbie
  • *
  • Posts: 2
Allow connection only through VPN with Comodo Firewall - how?
« on: October 04, 2009, 03:45:25 PM »
Hi

I like to configure CFW (Comodo firewall) to only let data pass in and out when i am connected to the VPN.

when VPN goes down all communications are dropped, when CFW is On. I dont like to add this to a specific app or something, only as i described above.

How do i do this?

Say my ip´s are .... (ISP IP) and (VPN IP)

 O0 cheers !!


Offline Ronny

  • Retired - Product Translator
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 13551
  • Retired - Volunteer Moderator
Re: Allow connection only through VPN with Comodo Firewall - how?
« Reply #1 on: October 04, 2009, 03:57:15 PM »
Hi archangel_1,

It basically comes down to writing down all connections you need.

Needed to setup connection:
DHCP ?
DNS ?
VPN Terminator IP+Ports&Protocols.

VPN Traffic:
Allow all traffic "inside" the VPN based on ip range and or ranges, in case of ranges it's easier to use a network Zone to define those ranges in.

Block:
Block all remaining traffic.
Retired - Volunteer Moderator
Any concerns? Please send me a PM or review the Forum Policy -  update Jan 3rd 2013!

Offline archangel_1

  • Newbie
  • *
  • Posts: 2
Re: Allow connection only through VPN with Comodo Firewall - how?
« Reply #2 on: October 05, 2009, 01:25:08 AM »
Thank you for the answer, as i am a rooky , it there a guide for this. I think my questions is quite basic and probably a lot of people maybe are wondering the same.

Maybe there is a topic already, but i did not find it.

As i am usin StrongVPN there is a thread how to do this with an other Firewall app, maybe somehow i can do the same with Comodo, but i don't know how ...
http://www.strongvpn.com/forum/viewtopic.php?id=294

Br / Angel

Offline Ronny

  • Retired - Product Translator
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 13551
  • Retired - Volunteer Moderator
Re: Allow connection only through VPN with Comodo Firewall - how?
« Reply #3 on: October 07, 2009, 04:06:57 PM »
I'll post a few screenshots tomorrow if i have some time !
Retired - Volunteer Moderator
Any concerns? Please send me a PM or review the Forum Policy -  update Jan 3rd 2013!

Offline Ronny

  • Retired - Product Translator
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 13551
  • Retired - Volunteer Moderator
Re: Allow connection only through VPN with Comodo Firewall - how?
« Reply #4 on: October 08, 2009, 09:20:38 AM »
Hi archangel_1,

I'll try to explain what this is:
These are from the Global rules tab of the Network Security Policy.

Rule 1:
Allow UDP In/Out From Any to Any Source Port UDP 67/68 and Destination Port UDP 67/68
This is to allow UDP DHCP traffic In/Out the system so you can still get a dynamic IP Address assigned.

Rule 2:
Allow TCP or UDP OUT from Any to Any and Destination Port 53
This is to allow DNS traffic to resolve names to ip addresses.

Rule 3:
Allow IP Out from Any to IP Address of you VPN box you are connecting to.
This will allow all VPN Traffic to the VPN Box you are using so you can setup the connection.

Rule 4:
Allow All the Traffic from the ip range inside your VPN tunnel if you need more ranges it would be easier to create a Network zone and add the ranges in there and then use that zone in this rule. So also replace this by the ranges used in your VPN Tunnels.

Rule 5,6,7,8,9
Are default

Rule 10:
Block All other traffic.

Use the logging option to see how it works, you can later remove these logging options from the rules.

[attachment deleted by admin]
Retired - Volunteer Moderator
Any concerns? Please send me a PM or review the Forum Policy -  update Jan 3rd 2013!

Offline djmixmode

  • Newbie
  • *
  • Posts: 11
Re: Allow connection only through VPN with Comodo Firewall - how?
« Reply #5 on: September 03, 2012, 04:04:32 AM »
How do you do this if your VPN ip address are completely dynamic? Like, one day it is 10.10.1.1 and the next day it is 123.56.67.123?

Offline Ronny

  • Retired - Product Translator
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 13551
  • Retired - Volunteer Moderator
Re: Allow connection only through VPN with Comodo Firewall - how?
« Reply #6 on: September 03, 2012, 04:09:57 AM »
How do you do this if your VPN ip address are completely dynamic? Like, one day it is 10.10.1.1 and the next day it is 123.56.67.123?
You have to build your application rules based on MAC address instead of IP's to make this work that way.
Use 'ipconfig /all' in a command-box to find your MAC address of your normal ISP interface and the VPN one, use those as source to filter between ISP and VPN traffic.

You can also add the MAC address of your gateways for ISP / VPN to the rules, verify the IP addresses they have and use 'arp -a' to find the MAC addresses of those.
You have to double check if your VPN interface always ends up in the same MAC address though.
Retired - Volunteer Moderator
Any concerns? Please send me a PM or review the Forum Policy -  update Jan 3rd 2013!

Offline djmixmode

  • Newbie
  • *
  • Posts: 11
Re: Allow connection only through VPN with Comodo Firewall - how?
« Reply #7 on: September 03, 2012, 11:51:41 AM »
You have to build your application rules based on MAC address instead of IP's to make this work that way.
Use 'ipconfig /all' in a command-box to find your MAC address of your normal ISP interface and the VPN one, use those as source to filter between ISP and VPN traffic.

You can also add the MAC address of your gateways for ISP / VPN to the rules, verify the IP addresses they have and use 'arp -a' to find the MAC addresses of those.
You have to double check if your VPN interface always ends up in the same MAC address though.

Thanks for the quick reply, Ronny. I can't get it to work that way as the VPN i connect to has dynamic MAC addresses.

I actually just got the firewall setup to work through the VPN, I just have to edit the one entry in the global rules list to the ip address of the VPN that I connect to it when I connect.

For instance, I'll open up the firewall and enable it. Then I'll open up OpenVPN and watch it get denied trying to access the IP of the VPN, then I'll add that address to the global rules list (RULE 3 in your rules list post).

Having to do this seems tedious and there has to be a better way but that is the price of anonymity i suppose.....

Thanks again.
« Last Edit: September 03, 2012, 11:53:51 AM by djmixmode »

Offline Ronny

  • Retired - Product Translator
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 13551
  • Retired - Volunteer Moderator
Re: Allow connection only through VPN with Comodo Firewall - how?
« Reply #8 on: September 05, 2012, 03:47:20 AM »
Have you tried to only use the source MAC of your VPN adapter and Deny the Source MAC of your other on the application that is only allowed out the VPN?
You shouldn't need destination MAC, it's an addition.
Retired - Volunteer Moderator
Any concerns? Please send me a PM or review the Forum Policy -  update Jan 3rd 2013!

Offline djmixmode

  • Newbie
  • *
  • Posts: 11
Re: Allow connection only through VPN with Comodo Firewall - how?
« Reply #9 on: September 06, 2012, 12:25:39 AM »
How do I know what the MAC address is of the VPN adapter? When I do a ipconfig /all I get a MAC for my wireless adapter (which I use to connect to the internet via my wireless router) and a MAC for a "Tap-Win32 adapter" which is what installed when i installed OpenVPN. Is that the MAC I should use?

Offline djmixmode

  • Newbie
  • *
  • Posts: 11
Re: Allow connection only through VPN with Comodo Firewall - how?
« Reply #10 on: September 06, 2012, 12:28:03 AM »
When I do an ARP -A, in the list it shows the IP address of the computer I am connecting to with the VPN (somewhere in the Netherlands usually) and next to it, it shows the MAC address and says "DYNAMIC".... hence why I thought the VPN MAC address is dynamic.

Offline Ronny

  • Retired - Product Translator
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 13551
  • Retired - Volunteer Moderator
Re: Allow connection only through VPN with Comodo Firewall - how?
« Reply #11 on: September 06, 2012, 04:16:59 AM »
How do I know what the MAC address is of the VPN adapter? When I do a ipconfig /all I get a MAC for my wireless adapter (which I use to connect to the internet via my wireless router) and a MAC for a "Tap-Win32 adapter" which is what installed when i installed OpenVPN. Is that the MAC I should use?
Yes the Physical address of the Tap adapter should be used.

The 'Dynamic' option in arp means the ARP entry is dynamic not static, a static entry would be added manually to the arp table.
Retired - Volunteer Moderator
Any concerns? Please send me a PM or review the Forum Policy -  update Jan 3rd 2013!

Offline djmixmode

  • Newbie
  • *
  • Posts: 11
Re: Allow connection only through VPN with Comodo Firewall - how?
« Reply #12 on: September 07, 2012, 10:28:37 PM »
Ok I tried that, and put it in the source field and left destination set at any and it did not work. It's a funny thing because when I put the MAC address in the field it doesn't work, but when I put the IP address in, which is the corresponding MAC address, it works.

Offline djmixmode

  • Newbie
  • *
  • Posts: 11
Re: Allow connection only through VPN with Comodo Firewall - how?
« Reply #13 on: September 07, 2012, 10:45:38 PM »
I finally got it to work by doing the following. I noticed that even though the IP address of the VPN that I am connecting to always changes, the hostname is always the same. I don't know why I didn't see this before.

Allow TCP OUT from Tap32 MAC to (vpn hostname)
Block TCP/UDP/IP IN/OUT from MAC (of my wireless adapter) to ANY

These are basically the rules I have set up.

Its strange how it works this way because how is the Tap32 adapter working if I have my own physical wireless adapter being blocked. It has to piggyback it somehow.
« Last Edit: September 07, 2012, 10:48:33 PM by djmixmode »

Offline djmixmode

  • Newbie
  • *
  • Posts: 11
Re: Allow connection only through VPN with Comodo Firewall - how?
« Reply #14 on: September 07, 2012, 11:01:06 PM »
Another crazy thing. When I do all of the who am i utilities online and speed tests, it shows my location as wherever the VPN is (sweden, the netherlands, etc) But when I do the W3C location test such as the google where am i test, it shows my real location. Why is this???

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek