by
rink » Sun Jan 01, 2012 7:04 pm
Hello,
I was able to block connections in case the VPN drops using the the new firewall utility that comes with Lion: pf
This is what I did to set new basic rules for the firewall, and enable It at startup:
First I went to /etc/pf.conf and added the following lines to the end of the txt file, after the "load anchor "com.apple" from "/etc/pf.anchors/com.apple"" line:
Code: Select all
IF = en0
IF_VPN = tun0
set skip on lo0
block log all
pass on $IF proto { udp, tcp } to { server-ip1, server-ip2, server-ip3, server-ip4 } port { 1194, 443 }
pass on $IF_VPN
The first line tells what interface you're using to connect, I'm connecting directly by a ethernet cable, that's why I used "IF = en0", you can change that to "IF = en1" if using wifi or "IF = ppp0" if using a usb 3g modem.
The rest is vpn-provider specific, my provider has 4 different servers, available on the 1194 udp port or 443 tcp port, using the tun0 interface.
My vpn uses ip addresses in Its config file, but some providers use a hostname instead (like server.vpnvprovider.com), I'm not sure if a hostname can be used inside the {} as in:
Code: Select all
pass on $IF proto { udp, tcp } to { server.vpnvprovider.com } port { 1194, 443 }
It's probably possible but we would have to leave port 53 open so the DNS resolves the hostname to an ip, and I suppose that could be considered a "leak"
In case your provider provide you only with a hostname instead of an ip address, you can find out the ip addresses using the terminal with the command "nslookup". Example:
Code: Select all
nslookup google.com
Non-authoritative answer:
Name: google.com
Address: 173.194.34.112
Name: google.com
Address: 173.194.34.113
Name: google.com
Address: 173.194.34.114
Name: google.com
Address: 173.194.34.115
Name: google.com
Address: 173.194.34.116
Now you can add the addresses It returns to the "pass on $IF proto { udp, tcp } to { server-ip1, server-ip2, server-ip3, server-ip4 } port { 1194, 443 }" line.
Finally, to start the firewall up and make It start at startup (It's off by default), go to /System/Library/LaunchDaemon/com.apple.pfctl.plist, and edit that file to add a "<string>-e</string>" line so that part looks like this:
Code: Select all
<array>
<string>pfctl</string>
<string>-e</string>
<string>-f</string>
<string>/etc/pf.conf</string>
</array>
Reboot and the the firewall should be be up now, It will appear as if you're not connect to any network, the only app that will be able to use the internet will be Viscosity, you can run It now and connect to your VPN
I hope this helps, I tested this a little and It worked fine for me, but I barely know know to use pf, so I hope I haven't done anything wrong (:
To disable the firewall just edit /System/Library/LaunchDaemon/com.apple.pfctl.plist back to what It was and reboot.
