local firewalling w/ cryptostorm: discussion

[marzametal]

My modem/router has a firewall and is active. My software firewall is active when I connect to the darknet. Is this considered overkill? I remember a while ago I had issues connecting to the darknet with my software firewall remaining active. But the problem rectified itself, along with a response from CS_Ops saying that all VPN testing on server side is performed with no software firewall activated (Local Windows Firewalling).

Which would be better to disable? (if required/needed at all). I've managed to hit 1MB/s in recent days out of a maximum downstream of 1.8MB/s.

[cryptostorm_support]

My modem/router has a firewall and is active. My software firewall is active when I connect to the darknet. Is this considered overkill? I remember a while ago I had issues connecting to the darknet with my software firewall remaining active. But the problem rectified itself, along with a response from CS_Ops saying that all VPN testing on server side is performed with no software firewall activated (Local Windows Firewalling).

Which would be better to disable? (if required/needed at all). I've managed to hit 1MB/s in recent days out of a maximum downstream of 1.8MB/s.

We've split this out to a separate thread, as it's a good issue and one that comes up quite a bit in conversations with network members.

Because client-side firewalling is so varied, it is very difficult to make accurate general comments regarding what is "correct" or not. Further, the many different types and configurations of local firewalls can - and not uncommonly do - block connections to cryptostorm, or cause serious performance lags once connected.

However, it is not our intent to make blanket "recommendations" such as turning off all client-side firewalling while connected to cryptostorm. Some of our tech team members advocate strongly for this position, and are encouraging us to implement baseline controls network-wide that obviate most of the need for client-side firewalling during cryptostorm sessions. Others on the team are equally adamant that cryptostorm isn't a substitute for local firewalling layers, and shouldn't be presented as such.

In summary, it's very much of an open question - and could benefit from member/community feedback and discussion!

• ~ cryptostorm_support

[marzametal]

Cheers

[parityboy]

@OP

To add to this thread: I would advocate keeping a local firewall in place. I use Linux Mint 14 as opposed to Windows, but I know for a fact that even though KTorrent (KDE BitTorrent client) can be told to use this interface or that, it will fail-open to the clear Ethernet interface if the VPN tunnel drops. This happened a little too often on the old Cryptocloud network, so I set up a firewall to make sure that anything that was not for the local network would either go over the VPN or be dropped.

So far, the CS connection has been up continuously for about a week and hasn't dropped at all (well done to the CS team!! ), but that's no reason to not have a firewall in place.

[acid1c]

I have not setup CS setup on my router yet; setup to not connect to anything except CS and no DNS except from CS. I plan on doing that once i obtain an openwrt router.

Once i have that setup i plan on having the openwrt firewall setup, as well as my software firewall setup on my linux machine, with ip blacklisting on for 4bil ips only allowing what i need when i need it.