I am starting to see the light at the end of the (VPN) tunnel Sorry, I could not resist. Anyhow, I have used ShieldsUP to do some testing which has been somewhat inconclusive. When I am connected to my VPN provider I am really scanning the ports on their exit server. This does look good. Without the VPN activated I am scanning my ISP provided DSL modem/router. This device APPEARS to have all sorts of neat configuration options. However, they do not work. I cannot turn off or disable the built in firewall (even though it indicates it is disabled).

I have been scanning my machines with Zenmap. This utility works from within my LAN. Results so far are promising. The Linux firewall seems to be blocking everything I wish to block. My final test will be to temporarily assign a fixed IP address to the incoming interface on my sharing PC and then connect it to a hub with another PC on the same subnet. I will run Zenmap from that PC and I should get a good representation of what I am presenting to the Internet.

If that looks good I will return the topology to the original plan. The Modem/router thing will be set to bridge mode so that my Linux firewall will be my real firewall. When the replacement Modem/router arrives from the ISP next week (after speaking/chatting with seventeen "technical" support droids at the ISP including several "supervisors." They must train these people to be so stupid. If humans were born this dumb the human race would have long ago died out.) Off soapbox... I will set the new device to bridged mode and get on with more important things - like bootlegging music or reading fake news

Ken

If possible, I would take a box and temporarily run a dhcp server on it, and connect it to your router/modem's input - the bit that goes to the internet, and scan there. That is the access hackers have. If not, make sure the box with the firewall is the only thing in house with access to that modem, and route all else through your firewall If there's to be wifi access, the firewall box has to run the wireless server for the rest, and turn the router's wifi off, or make it inaccessible to all except the firewall. That last option leaves you organizing one very tricky wireless setup.

Scanning is then straightforward.

1 members found this post helpful.

Thanks business_kid,

The modem/router box is monolithic. I cannot tap in between the modem side and the router side. I am at the moment a bit constrained in making any changes to my topology. The USB to Ethernet dongle has a bad cable and if I flex it out of a narrow range it drops the connection. A new one is due in today or tomorrow. In the interim...

I placed the incoming interface on the shared box in the "block" zone. I then switched the modem/router to bridged mode. The shared PC now picks up the IP address from my ISP. A ShieldsUP scan shows that most ports are stealthed and a few are "closed." I moved the interface to the "drop" zone and now all ports are stealtherd. I guess that should do the trick. WiFi is turned off as I really do not need it at the moment. If I ever do I will daisy chain another router/access point from the down side of the shared PC.

As to the VPN... If I run a ShieldsUP test while connected I am obviously banging the firewall on the VPN exit server. Both of my providers seem to have a decent firewall in place. Everything is stealthed except for port 443 (https) which is closed on one provider's servers.

As to my original question - does the PC firewall filter the VPN connection? Darned if I know or can prove one way or the other.

Ken

You closed port 80 in the firewall I gather. You're satisfied it's closed.

If you closed port 1194 or whatever https is in the same way, you can infer that it's closed. can you get out on it?

1 members found this post helpful.

The "close port 80" drill was a test which lead to somewhat inconclusive results. The original question I was attempting to resolve was with regard to a firewall I setup on my "shared" connection PC. If I block "everything" incoming unless in response to an outgoing request and THEN I connect to a VPN using Openvpn ON THE SHARED PC - Does the VPN tunnel through my firewall on the PC? If I activate a firewall on my router and then connect with a VPN running on a PC connected to the router it does blow right through the router's firewall.

Ken

Yes, if your VPN client runs on the same machine as the firewall, then the encrypted tunnel essentially bypasses your firewall rules. If you're worried about traffic coming from the tunnel, then you really need a firewall behind it to filter the unencrypted traffic.

1 members found this post helpful.

Thanks ferrari - but how do I do that without having another machine in the circuit? My port 80 experiment implied that the tunnel obeyed the rules of the zone in which the tun0 connection was located. The firewalls on the various machines on my LAN cannot do the job as they need to allow ssh, nfs and vnc traffic.

On the other hand, if look at the ShieldsUP scan data when the VPN is connected, I am really looking at the firewall on the VPN exit server. Last evening I connected to a different server among the offerings of Proton VPN. This one shows port 443 (https) OPEN when I do a ShieldsUP scan from MY PC. Is this a vulnerability to my network???

I would opine not. I am NOT running anything which accepts https connections. The VPN exit server is obviously running some sort of NAT as many customers can connect to it and use the VPN at the same time. If an attacker entered the VPN server on port 443 hie would not find a similar port open or even responding on my firewall PC.

I guess I really need to take the output of the VPN tunnel and feed it back into the firewall. But I have no clue how to do such a thing if it is even possible.

Ken

It is really the VPN server that needs to be trusted here. Suitable server firewall rules port could be put in place to block port 80 traffic if desired. For example, I connect to a remote corporate network using a VPN, and it is their firewall to the internet that protects my client laptop when using a VPN.

1 members found this post helpful.

FWIW, I connect using a PPTP tunnel (ppp0 is the tunnel interface similar to tun0 for OpenVPN connectivity). I can block port 80 traffic leaving/arriving using the following iptables rules...

Maybe you can employ a similar on your client firewall.

1 members found this post helpful.

Thanks ferrari,

Yes, the VPN server needs to be trusted. However, as has been in the news the last couple of days some VPN providers who "keep NO logs" actually do. As to port 80 I DO NOT CARE. That was just a test I was attempting.

I do in fact have a second firewall running on all of the PCs and servers on my LAN. At the moment they only allow ssh, vnc and nfs connections. I can tunnel vnc over ssh and I think I can do something similar with nfs. That way I could lock down to only ssh.

As to using a VPN to connect to a remote corporate network - that was the original intent of a VPN. In addition to the VPN protecting your laptop it is protecting the corportate network. You and the corporate network can communicate securely over the insecure Internet. However, you would probably not tunnel to the corporate network just to get to the Internet as is the case when a user connects to a commercial VPN which simply dumps them onto the Internet from a server in some remote location in order to disguise their true location. Or of course for other reasons.

As to iptables... it is my understanding that iptables must be disabled to use firewalld and vice versa. I have also read that "direct" rules in firewalld are applied globally to all zones.

So... It looks like I need to build a VPN server and connect to it with my VPN client (shared PC). I can then scan through the tunnel with Zenmap or such and see what I can see. I will put that on my project list.

Ken

The iptables rules were just an example to show you how traffic on a given port might be blocked via the client side, since that's what you seemed to be concerned with. I'm using openSUSE with an iptables-based firewall. I'm sure you could figure out firewalld equivalents for the tun0 interface.

1 members found this post helpful.

First let me say sorry to ferrari. I misunderstood the reference to iptables. My error.

And for the GOOD news... Yesterday I started building an openvpn server to which I could connect my openvpn client so I could scan the client's firewall from the server side. I was slogging through the instructions on openvpn.net when I decided I needed to take a break. I found the openvpn support forum, registered and posted my question. In response I received a link to a diagram showing how traffic flows in openvpn. As to my original question...

Data comes into the machine on the real Ethernet connection
In my case it is on port 1194/udp per the VPN providers config file
This data is of course encrypted as it passes through the firewall
I have ALL ports set to drop (not even acknowledge) data on the Internet side Ethernet connection
HOWEVER, as openvpn initiated the conversation from my machine the firewall passes the packets to openvpn
openvon decrypts the data and sends it on its way via tun0
tun0 passes the data through the firewall a second time (but now decrypted)
Again I have the firewall set to drop all packets
IF the packet is part of a conversation started on my machine (then sent through openvpn) the packets pass to the initiating application or if the conversation started from a PC on my LAN they will be passed out the LAN side NIC.

Bottom line, the firewall gets two bites at the data to stop anything undesirable. I think I am good to go and reasonably safe and snug behind my firewalld.

Ken

p.s. now perhaps I will not wake up during the night dreaming about firewalls. Really!

Of course I forgot to include a link to the openvpn thread and the diagram...

https://forums.openvpn.net/viewtopic...20dd64d#unread

Ken