Setting up a Canadian proxy server - Page 3

Freakin · #21 01-21-2007, 09:06 PM

[ QUOTE ]
Percula,

In order to do what you say, i.e. not allowing the host to connect to anything other than the VPN concentrator, don't you have to be able to set up a 2-tiered firewall rule structure? First it checks to see if VPN is working, and if not only allows connection to the VPN, but if it is, then the 2nd set of firewall rules apply to regulate normal traffic. What I am asking, is whether a firewall allows you to set up a double test where it first checks the VPN's connectivity, and then applies another set of rules.

[/ QUOTE ]

it doesn't have to check the VPNs connectivity.

BluffTHIS! · #22 01-21-2007, 09:15 PM

Freakin,

What means firewall rule-wise, do you use to insure that any random program first has to connect to the VPN concentrator, and then only to the net?

Also, basically the import of this is that the player mentioned earlier in this thread as having had his account locked, need never have had that happen if he was set up correctly, is that correct?

Freakin · #23 01-21-2007, 09:19 PM

[ QUOTE ]
Freakin,

What means firewall rule-wise, do you use to insure that any random program first has to connect to the VPN concentrator, and then only to the net?

Also, basically the import of this is that the player mentioned earlier in this thread as having had his account locked, need never have had that happen if he was set up correctly, is that correct?

[/ QUOTE ]

you need traffic to the VPN server allowed, you need all other traffic blocked on your NIC. that is all.

And yes, if the player mentioned earlier had those kind of rules in effect, it would not have been an issue.

BluffTHIS! · #24 01-21-2007, 09:22 PM

OK thanks. But I am still fuzzy about something. Basically do you have 2 firewalls with 2 separate sets of rules in place? I.E. the firewall on your pc only allows traffic to the VPN server, and then a firewall on that server with a set of rules as to which specific sites it can connect to or not?

BiPolar_Nut · #25 01-21-2007, 10:27 PM

no. one firewall. The application firewall on your computer.

It allows VPN traffic. Everything else is blocked.

If the VPN is up, all works well as all your traffic is going out the VPN. If the VPN goes down, nothing gets out because the only place data is allowed to go is out the VPN...which is down.

Clearer?

Percula · #26 01-22-2007, 12:25 AM

[ QUOTE ]
OK thanks. But I am still fuzzy about something. Basically do you have 2 firewalls with 2 separate sets of rules in place? I.E. the firewall on your pc only allows traffic to the VPN server, and then a firewall on that server with a set of rules as to which specific sites it can connect to or not?

[/ QUOTE ]

I would use a local hardware based firewall. Then I use a VPN client on the host. On the firewall I create a set of rules that basically say...

Allow traffic from "host" to VPN concentrator using only the VPN protocols needed for the VPN. Deny all other traffic from "host". On the VPN concentrator I configure it to route all client traffic to the Internet.

This will effectively isolate the host so that the only way for it do anything on the Internet it has to be connected to the VPN.

If you want to (and you should) take the security side of it a step further... On the VPN concentrator (I would use another firewall here and not a dedicated VPN concentrator) I would set firewall rules that only allow traffic for the poker site(s) and apply strict web content filtering only allowing HTTP/HTTPS traffic to sites like your payment processor, online bank, brokerage account, poker sites.

You could also use that type of setup without the VPN on a home network to prevent hacking if IP appearance was not important. With a setup like this I use a firewall that I can create more than one network. I place the poker host in it's own network with the same restrictive rules already mentioned. Then any other personal computers go on the other network. They are not allowed to communicate with the poker host and the poker host is not allowed to communicate with them, but can otherwise can do pretty much anything they want, except what the poker host does, like connecting to the poker sites, payment processors, etc.

It takes some money to build out and configure something like this, but for a mid to high stakes player, it's not too bad, <$7K plus yearly support for the IPS updates and NBD replacement at ~1K.

Freakin · #27 01-22-2007, 02:14 AM

[ QUOTE ]
[ QUOTE ]
OK thanks. But I am still fuzzy about something. Basically do you have 2 firewalls with 2 separate sets of rules in place? I.E. the firewall on your pc only allows traffic to the VPN server, and then a firewall on that server with a set of rules as to which specific sites it can connect to or not?

[/ QUOTE ]

I would use a local hardware based firewall. Then I use a VPN client on the host. On the firewall I create a set of rules that basically say...

Allow traffic from "host" to VPN concentrator using only the VPN protocols needed for the VPN. Deny all other traffic from "host". On the VPN concentrator I configure it to route all client traffic to the Internet.

This will effectively isolate the host so that the only way for it do anything on the Internet it has to be connected to the VPN.

If you want to (and you should) take the security side of it a step further... On the VPN concentrator (I would use another firewall here and not a dedicated VPN concentrator) I would set firewall rules that only allow traffic for the poker site(s) and apply strict web content filtering only allowing HTTP/HTTPS traffic to sites like your payment processor, online bank, brokerage account, poker sites.

You could also use that type of setup without the VPN on a home network to prevent hacking if IP appearance was not important. With a setup like this I use a firewall that I can create more than one network. I place the poker host in it's own network with the same restrictive rules already mentioned. Then any other personal computers go on the other network. They are not allowed to communicate with the poker host and the poker host is not allowed to communicate with them, but can otherwise can do pretty much anything they want, except what the poker host does, like connecting to the poker sites, payment processors, etc.

It takes some money to build out and configure something like this, but for a mid to high stakes player, it's not too bad, <$7K plus yearly support for the IPS updates and NBD replacement at ~1K.

[/ QUOTE ]

BluffTHIS! · #28 01-22-2007, 02:26 AM

Thanks again. My question before was because I didn't see how other non-poker programs were going to be able to get through to the net. For example any random update process of any app you have installed. Normally it has to go through your software firewall where you have either given permission or not for it to connect on its own when you aren't necessarily around (something a poker client isn't going to do though). But with a VPN, you need the first barrier to be one that actually insures all traffic is routed through the VPN. So I wasn't seeing how that was done and then also other non-poker programs were either going to be able to connect at all, or if they were wouldn't be challenged at all as long as they went through the VPN.

But from your explanation above, I guess the hardware firewall takes care of main priority, i.e. no connections except through the VPN, and then a software firewall on the VPN server is configured to test all programs that are in fact being channeled through the VPN. Is that correct? Thus, would microsoft's auto update program still function under a VPN?

Also, are you saying the setup cannot be done without a hardware firewall, or would instead 2 software firewalls, one on your pc and the other on the VPN server, be able to do the same thing and never allow a poker client to connect if the VPN went down for a minute or two?

BiPolar_Nut · #29 01-22-2007, 04:00 AM

when you connect to the VPN you will use the remote server's gateway. All traffic will go out the VPN. Updates, streaming porn, random nmap scans, all 23 email and IM accounts, etc. When you connect to the VPN, *BANG* everything leaving your machine is going through the VPN. No voodoomagic required.

You're overcomplicating it, I think.

VPN up == all traffic goes thataway....doesn't matter if you just fired up AIM or pokerroom...it's gonna shott through the VPN and connect "from" Canada or wherever you VPN server is.

VPN down == no traffic goes anywhere since the one and only firewall you have on your poker machine is blocking all traffic not going through the VPN.

Not sure how many ways this can be said. What isn't making sense? When you're on the VPN, EVERYTHING automagically will bounce through the remote server and appear to the rest of the world to have originated from wherever your VPN server is. Since your firewall on your poker machine will be set to block all traffic *not* traveling the VPN tunnel, then either everything will work normally by going out the VPN tunnel, or if the VPN goes down then no traffic goes anywhere because there is no place for it to go!

*shrug* If that doesn't clear it up I give up for tonight...I gotta sleep, anyway...interview tomorrow [img]/images/graemlins/smile.gif[/img]

IM me (contact info in profile) sometime tomorrow if you want a real-time conversation on the subject and I'll try to clear up your confusion.

BluffTHIS! · #30 01-22-2007, 02:10 PM

BPN,

Thanks for the IM offer, but maybe some others here would be interested in your and others' responses to my questions *if* I can make myself clearer [img]/images/graemlins/smile.gif[/img].

Here's what I am misunderstanding. And that is the 2 part process where a program on your pc tries to contact the net and is first checked to make certain such contact is only taking place via the VPN, and then also checked to make sure it isn't a malicious/unpermitted contact in general, which is what one's software firewall normally does via a set of rules.

So let's say I contract for a dedicated VPN server in canada or wherever outside the US. Now any random program attempts to connect with the net.

1) what program/hardware device checks to make sure such contact can only take place through the VPN and not otherwise?

2) what program/device then checks that app to see if it is permitted in general once having passed the first step above? (software firewall on PC or on the VPN server?)

Also another question: can one with such a dedicated VPN server use just a software firewall on the PC and/or VPN server to make sure that no communication with the net takes place except through the VPN (as with Norton firewall for example), or is other hardware required? If so what other hardware?

I hope these questions are more clear and I would like to thank you and the other posters who have provided knowledgeable replies in this thread.