Allow connection only through VPN with Comodo Firewall - how?


I like to configure CFW (Comodo firewall) to only let data pass in and out when i am connected to the VPN.

when VPN goes down all communications are dropped, when CFW is On. I dont like to add this to a specific app or something, only as i described above.

How do i do this?

Say my ip´s are … (ISP IP) and (VPN IP)

O0 cheers !!

Hi archangel_1,

It basically comes down to writing down all connections you need.

Needed to setup connection:
VPN Terminator IP+Ports&Protocols.

VPN Traffic:
Allow all traffic “inside” the VPN based on ip range and or ranges, in case of ranges it’s easier to use a network Zone to define those ranges in.

Block all remaining traffic.

Thank you for the answer, as i am a rooky , it there a guide for this. I think my questions is quite basic and probably a lot of people maybe are wondering the same.

Maybe there is a topic already, but i did not find it.

As i am usin StrongVPN there is a thread how to do this with an other Firewall app, maybe somehow i can do the same with Comodo, but i don’t know how …

Br / Angel

I’ll post a few screenshots tomorrow if i have some time !

Hi archangel_1,

I’ll try to explain what this is:
These are from the Global rules tab of the Network Security Policy.

Rule 1:
Allow UDP In/Out From Any to Any Source Port UDP 67/68 and Destination Port UDP 67/68
This is to allow UDP DHCP traffic In/Out the system so you can still get a dynamic IP Address assigned.

Rule 2:
Allow TCP or UDP OUT from Any to Any and Destination Port 53
This is to allow DNS traffic to resolve names to ip addresses.

Rule 3:
Allow IP Out from Any to IP Address of you VPN box you are connecting to.
This will allow all VPN Traffic to the VPN Box you are using so you can setup the connection.

Rule 4:
Allow All the Traffic from the ip range inside your VPN tunnel if you need more ranges it would be easier to create a Network zone and add the ranges in there and then use that zone in this rule. So also replace this by the ranges used in your VPN Tunnels.

Rule 5,6,7,8,9
Are default

Rule 10:
Block All other traffic.

Use the logging option to see how it works, you can later remove these logging options from the rules.

[attachment deleted by admin]

How do you do this if your VPN ip address are completely dynamic? Like, one day it is and the next day it is

You have to build your application rules based on MAC address instead of IP’s to make this work that way.
Use ‘ipconfig /all’ in a command-box to find your MAC address of your normal ISP interface and the VPN one, use those as source to filter between ISP and VPN traffic.

You can also add the MAC address of your gateways for ISP / VPN to the rules, verify the IP addresses they have and use ‘arp -a’ to find the MAC addresses of those.
You have to double check if your VPN interface always ends up in the same MAC address though.

Thanks for the quick reply, Ronny. I can’t get it to work that way as the VPN i connect to has dynamic MAC addresses.

I actually just got the firewall setup to work through the VPN, I just have to edit the one entry in the global rules list to the ip address of the VPN that I connect to it when I connect.

For instance, I’ll open up the firewall and enable it. Then I’ll open up OpenVPN and watch it get denied trying to access the IP of the VPN, then I’ll add that address to the global rules list (RULE 3 in your rules list post).

Having to do this seems tedious and there has to be a better way but that is the price of anonymity i suppose…

Thanks again.

Have you tried to only use the source MAC of your VPN adapter and Deny the Source MAC of your other on the application that is only allowed out the VPN?
You shouldn’t need destination MAC, it’s an addition.

How do I know what the MAC address is of the VPN adapter? When I do a ipconfig /all I get a MAC for my wireless adapter (which I use to connect to the internet via my wireless router) and a MAC for a “Tap-Win32 adapter” which is what installed when i installed OpenVPN. Is that the MAC I should use?

When I do an ARP -A, in the list it shows the IP address of the computer I am connecting to with the VPN (somewhere in the Netherlands usually) and next to it, it shows the MAC address and says “DYNAMIC”… hence why I thought the VPN MAC address is dynamic.

Yes the Physical address of the Tap adapter should be used.

The ‘Dynamic’ option in arp means the ARP entry is dynamic not static, a static entry would be added manually to the arp table.

Ok I tried that, and put it in the source field and left destination set at any and it did not work. It’s a funny thing because when I put the MAC address in the field it doesn’t work, but when I put the IP address in, which is the corresponding MAC address, it works.

I finally got it to work by doing the following. I noticed that even though the IP address of the VPN that I am connecting to always changes, the hostname is always the same. I don’t know why I didn’t see this before.

Allow TCP OUT from Tap32 MAC to (vpn hostname)
Block TCP/UDP/IP IN/OUT from MAC (of my wireless adapter) to ANY

These are basically the rules I have set up.

Its strange how it works this way because how is the Tap32 adapter working if I have my own physical wireless adapter being blocked. It has to piggyback it somehow.

Another crazy thing. When I do all of the who am i utilities online and speed tests, it shows my location as wherever the VPN is (sweden, the netherlands, etc) But when I do the W3C location test such as the google where am i test, it shows my real location. Why is this???

Probably a Google knows… There is a part of it on here, there are much variables that are used in the ‘where am I’ check.

how do i do this for a specific application?

Open Comodo

Firewall Tab

Click Network Security Policy

Under Application Rules click the Add button

Define the program parameters, whether you would like to add or block it

no i want to allow a specific application to access the internet only through vpn, i don’t want that application to access the net if the vpn connection is off.

I figured you knew what i was talking about. You have to edit the rule and add the ip or the domain of the vpn in the definition of the app that you want to add