Allow only pptp vpn-traffic

Onofrio · November 22, 2008, 11:43am

Hi All,

This question is actually similar than the post about allowing LAN-traffic a few posts down, and I have been experimenting that way… with varying results (I don’t understand them actually).

I want to run utorrent over a pptp vpn-connection. At each new-connect a random subnet ip is handed out, so I cannot work with ip numbers, i think (not sure). I’ve tried to define a zone for this vpn, both by adding dns-suffix to the connection and by using the address in the dial-up connection and than defining a rule as in the other post excluding all non-vpn trafiic, one rule for outgoing and one for incoming

like block/IP/in/any/zone or hostname (tried both) and the exclude ticked/any
and block/IP/out/zone or hostname (tried both) and the exclude ticked/any/any

I ticked event-writing for these new rules and after starting up utorrent blocking events appear, at the same time certain connections are actually established (and are visible in the connections), because utorrent traffic does not grind to a hold? So I end up with connections blocked that are similar to connections established, that’s the part I don’t get. Maybe this exclude has an effect on the other settings like ports, I don’t know.

Just for clarity, without these rules things work as they should, the setup is along the lines of the recommended setting in the relevant thread elsewhere on this forum.

The objective is to not allow connection over the normal internet connection in case the vpn drops and windows reverts back to default connection.

Maybe somebody has tried this and come up with a solution?

PS: one thing that does work is to define my home network as a zone and stuff it in the blocked zones, but that’s a bit over the top and not always very handy.

exproff · November 22, 2008, 1:10pm

The only right way to do this is to Create Rule with “Source” - VPN Interface. But COMODO does not supply such feature.
I have almost same issue. I aslo need in Allowing/Blocking by Network Card, not by IP/host/etc.
So it is write down in CIS wishlist - search it later and add your voice for that =)

Onofrio · November 22, 2008, 3:13pm

I have found a satisfactory solution, I’ve stopped trying the exclude approach and applied the allow approach. I’ve defined the ip-ranges of the vpn connections to a zone and instead of specifying all in source/destination I have now put this new “vpn”-zone.

This works, the only thing I’m unsure about is allowing more than I need, I’ve got only on IP… Some DCOM attacks have occurred from within the range… But I’ve added the range to ipfilter.dat and have made sure the dcom hole is closed… And than AVAST does some network protection as well…

Any comments/observations a welcome!

exproff · November 22, 2008, 5:23pm

It is not best solution, but anyway it works =)
Another weak point of COMODO - same IP range via different network devices.
For example - my LAN 192.168.0.0/24. And I grant some access to this LAN to some programs.
But in WiFi I also can receive IP address (for example) 192.168.0.5 So it would be in “trusted” range and I should remember this.
Even “Enable/Disable” Rule can improve situation. But I still think that adding feature like “My Network Card” will solve many possible troubles.