Portal Home > Knowledgebase > Troubleshooting > IP Binding / Killswitch > Force system to stick to VPN only with Mac OS X built-in firewall.

Force system to stick to VPN only with Mac OS X built-in firewall.

This tutorial will help you force all your Mac system to use the VPN connection only. In order words, if your VPN connection drops, your system will not communicate with Internet unless the VPN connection comes back.

There are two easy ways to achieve IP binding on Mac, e.g. to prevent filesharing tools from down/upload in case the VPN connection is lost.

Note: Disabling the IPFW firewall (flushing all firewall rules) is done by running "sudo ipfw -f f"; however, this is done by using our scripts, so you only should do this manually in a terminal window when experiencing any kind of connection problems.

Basics

The built-in firewall of MacOS is called "IPFW". It allows to accept/block whatever you need, IPs, ranges, ports, protocols, etc. By standard you'll probably have to configure it via terminal (command-line); however, there are many GUIs available, so you can configure it via a graphical user interface on your desktop (e.g. Little Snitch or Waterroof).

1) List all current firewall rules

Run "sudo ipfw list" in a terminal window.

2) Firewall rule examples

If you enter "ipfw add 65534 deny ip from any to any out via en*", this will create a firewall rule that blocks ALL traffic completely.

In this example, we are giving that rule the ID 65534, which is the second-last possible ID. This is important, because:

- All rules with a lower ID are having higher priority. So we can now create rules for e.g. certain protocols, IPs, ports, etc. For example if we would want to allow all traffic to a certain IP that goes through VPN related ports, we could add the rule "ipfw add 01001 allow ip from any to 193.243.171.194 dst-port 443,53,1723 out via en*", which allows all traffic from and to IP 193.243.171.194 over ports 443, 53, 1723 (VPN related ports) on all ethernet adapters (en*=en0, en1, etc). This rule will allow us to connect to that VPN server although we blocked all other traffic.

- All rules with a higher ID (which can only be one, the rule with the ID 65535) have a lower priority. This allows us to create the last rule, which should be "ipfw add 65535 allow ip from any to any". This rule allows ANY traffic completely, but since it's the last rule, it only affects traffic that has not been controlled by rules with lower IDs (so rules with higher priority). If you do not create this rule, all traffic will be blocked.

3) Disabling the IPFW firewall (flushing all firewall rules)

This is done by running "sudo ipfw -f f" in a terminal window. Do this if you experience any kind of connection issues (e.g. caused by incorrect firewall rules).

Also, if you start experimenting with IPFW, you should first flush all firewall rules to prevent conflicts between existing rules and the rules you're going to create.

Solution 1

First please download this scripts (e.g. rightclick and save as): enablebind + disablebind

Now you need to get the IP of the VPN servers you want to set IP binding for - this list is available in your panel account, under My VPN Package > Details of your active package > Network/Servers tab.

Take a look at the 11th line from the script enablebind - it contains the IP of the Ukraine I server. Now you can duplicate this 11th line and just switch the IP with the ones from your favorite servers, e.g. that the code looks like this:

sudo ipfw add 01002 allow ip from any to 193.19.185.157 dst-port 443,53,1723 out via en*
sudo ipfw add 01002 allow ip from any to 42.121.55.212 dst-port 443,53,1723 out via en*
sudo ipfw add 01002 allow ip from any to 69.242.95.11 dst-port 443,53,1723 out via en*
sudo ipfw add 01002 allow ip from any to 128.95.22.65 dst-port 443,53,1723 out via en*

Save the script after making your changes.

You might still need to make both scripts executable, e.g. by running "chmod u+x enablebind" and "chmod u+x disablebind" in terminal. Of course you need to change into the directory where you saved those files, before you can do this.

Now you can easily enable IP binding by running the script enablebind, and disable it by just running the script disablebind.

Solution 2

First please download this script (e.g. rightclick and save as): bind.sh

Save it into a specific folder where you can find it later, e.g. on the Desktop.

Now you need to get the IP of the VPN servers you want to set IP binding for - this list is available in your panel account, under My VPN Package > Details of your active package > Network/Servers tab.

Take a look at the 8th line from the script - it contains the IP of the Ukraine server. Open it with your favorite text editor. Now you can duplicate this 8th line and just switch the IP with the ones from your favorite servers, e.g. that the code looks like this:

ipfw add 01002 allow ip from any to 193.19.185.157 dst-port 443,53,1723 out via en*
ipfw add 01002 allow ip from any to 42.121.55.212 dst-port 443,53,1723 out via en*
ipfw add 01002 allow ip from any to 69.242.95.11 dst-port 443,53,1723 out via en*
ipfw add 01002 allow ip from any to 128.95.22.65 dst-port 443,53,1723 out via en*

Now, open a terminal window. Change into the folder where you saved the script earlier (e.g. Desktop) Then run the script with the parameter "enable" to enable IP binding, e.g. "sudo bash bind.sh enable". To disable it, run "sudo bash bind.sh".

Alternative Solution

Firewall applications like Little Snitch, WaterRoof or NoobProof can be used to regulate your traffic and create firewall rules. Please have a loko at this tutorial for Comodo to understand how you can come up with Firewall rules in order to force software or system to use VPN only.
Related Knowledgebase Articles