How can one restrict network activity to only the VPN on a Mac and prevent unsecured internet activity?
I'm using Mac OS and connect to a VPN to hide my location and IP (I have the 'send all traffic over VPN connection' box checked in teh Network system pref), I wish to remain anonymous and do not wish to reveal my actual IP, hence the VPN. I have a prefpan called pearportVPN that automatically connects me to my VPN when I get online. The problem is, when I connect to the internet using Airport (or other means) I have a few seconds of unsecured internet connection before my Mac logs onto my VPN. Therefore its only a matter of time before I inadvertently expose my real IP address in the few seconds it takes between when I connect to the internet and when I log onto my VPN.
Is there any way I can block any traffic to and from my Mac that does not go through my VPN, so that nothing can connect unless I'm logged onto my VPN? I suspect I would need to find a third party app that would block all traffic except through the Server Address, perhaps Intego Virus Barrier X6 or little snitch, but I'm afraid I'm not sure which is right or how to configure them.
Any help would be much appreciated. Thanks!
Solution 1:
You would use a firewall to (a) restrict all outbound network traffic other than traffic destined for your VPN server, and then (b) permit any traffic over your VPN interface. The restrictions in (a) would have to include allowances for negotiating a DHCP lease, unless you're using static addressing.
You should be able to accomplish this using the "ipfw" utility from the command line. The firewall available via the "Security" preference pane (new in OS X 10.5, I think) won't allow you to block outbound traffic.
Basic information about ipfw
can be found in the FreeBSD handbook.
Once you come up with an appropriate firewall script, you would need to arrange for it to become active when your system starts up. The man pages on launchd
, launchctl
, and launchd.plist
may all be helpful.
Solution 2:
I'm using Snow Leopard and am using the shell script below. It only permits traffic through the PPTP VPN tunnel. Note that it doesn't make any exceptions for local DHCP traffic.
#!/bin/sh
# Clean any pre-existing rules
ipfw -f flush
# Allow any kind of traffic to go through ppp0 (our VPN interface)
ipfw -f add allow all from any to any via ppp0
# Allow any to talk to GRE protocol (used with PPTP)
ipfw -f add allow gre from any to any
# Allow any to talk to any remote server on PPTP port 1723
ipfw -f add allow tcp from any to any dst-port 1723
# Check states (below allows established tcp connections to vpn server via \
# port 1723 back through the firewall
ipfw -f add check-state
ipfw -f add allow tcp from any to any established
# Closing Up
ipfw -f add 65533 reject log udp from any to any
ipfw -f add 65534 deny log ip from any to any
Solution 3:
Be aware that even ipfw rules can not protect you from a number of common leaks, including DNS leakage, IPv6 leakage and the time lag between when the network comes up and when the default route is changed! I use waterroof on my mac to work with firewall configurations, and the following sets of rules should import into Waterroof:
IPFW IPv4 Rules
add 00010 deny icmp from any to any in
add 00100 allow ip from any to any via lo*
add 00110 deny ip from 127.0.0.0/8 to any in
add 00120 deny ip from any to 127.0.0.0/8 in
add 00130 allow udp from any to 224.0.0.251 dst-port 5353
add 00140 allow udp from 224.0.0.251 to any dst-port 5353
add 00300 deny ip from 224.0.0.0/3 to any in
add 00400 deny tcp from any to 224.0.0.0/3 in
add 00500 deny tcp from any to any dst-port 0 in
add 00600 check-state
add 01000 allow tcp from me to any keep-state
add 01001 allow udp from me to any keep-state
add 25000 allow ip from me to "INSERT VPN HOST HERE"
add 25100 allow ip from "INSERT VPN HOST HERE" to me in
add 33300 deny tcp from any to any established
add 65000 allow udp from any 67 to any dst-port 68 in
add 65100 deny log icmp from any to me in icmptypes 8
add 65200 deny udp from any to any in
add 65300 deny icmp from any to any in
add 65400 deny ip from any to any in
add 65535 allow ip from any to any
IPFW IPv6 Rules
add 02070 deny ipv6 from any to any
add 33300 deny log ipv6-icmp from any to any in icmptype 128
Source: http://blog.c22.cc/2011/07/31/protecting-your-osx-with-ipfw-and-littlesnitch/
Regarding DNS leakage you could use: http://opendns.github.io/dnscrypt-osx-client/
DNSCrypt is a way of securing the "last mile" of DNS traffic and resolving an entire class of serious security concerns with the DNS protocol e.g. tampering, or man-in-the-middle attacks, and snooping of DNS traffic at the last mile.