Linux Mint Forums

[eddyNOR]

Why does my firewall keep turning off? I have a fresh installation of Mint 12(Lisa) And i took a port scan an a lot of ports where open, i made rules in the firewall(That is like the one in Ubuntu 11) But i can see it is turned off again today.. But it isnt always, i know i where hacked some weeks ago on a windows computer and i dont want that to happen again..

So how do i secure the unicorns out of this computer? And how does i know if the firewall really is working?(Because even if i denied/closed port 445(i think it was) and port 39(Because it also where open, and port 38 also popped up later on) Right now it is port from 48490-57457 that appears to have the state "open" I use the "network tools" that follow mint to check it..

I also try to connect to my vpn but i just get established the connection but not connected to internet..

I have been looking for a 3rd party firewall and antivirus but cant find anyone that im sure is safe, what should i install? And how do i close ports when the firewall #"!#¤%ing! doesnt work ?

I much appreciate all answers! Thanks!

[karlchen]

Hello, eddyNOR.

About the firewall issue:
It is not quite clear what you really did in order to enable the firewall that comes with Linux Mint. If I remember right all I had to do was run this commandline

Code: Select all

sudo ufw enable

From that time on, the uncomplicated firewall (ufw) would be launched automatically on every system boot and prevent anyone from connecting to my machine.
Checking the status is pretty trivial by executing the commandline

Code: Select all

sudo ufw status verbose

which yields this output here:

karlchen@lynx:~$ sudo ufw status verbose
[sudo] password for karlchen:
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing)
New profile: skip

Moreover ufw will create log entries in the file /var/log/syslog and /var/log/ufw.log which document what it does. So you should definitely check those logfiles for details on why your firewall is not always active. In case you do not use ufw you should check syslog and find out where your firewall writes its log entries.

About your VPN issue:
Sorry, but not enough details to give any advice on this issue.

Kind regards,
Karl

[eddyNOR]

Hello, eddyNOR.

About the firewall issue:
It is not quite clear what you really did in order to enable the firewall that comes with Linux Mint. If I remember right all I had to do was run this commandline

Code: Select all

sudo ufw enable

From that time on, the uncomplicated firewall (ufw) would be launched automatically on every system boot and prevent anyone from connecting to my machine.
Checking the status is pretty trivial by executing the commandline

Code: Select all

sudo ufw status verbose

which yields this output here:

karlchen@lynx:~$ sudo ufw status verbose
[sudo] password for karlchen:
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing)
New profile: skip

Moreover ufw will create log entries in the file /var/log/syslog and /var/log/ufw.log which document what it does. So you should definitely check those logfiles for details on why your firewall is not always active. In case you do not use ufw you should check syslog and find out where your firewall writes its log entries.

About your VPN issue:
Sorry, but not enough details to give any advice on this issue.

Kind regards,
Karl

Thanks for your prompt reply Karl!

I turned it on with the graphical interface(Firewall configuration in the menu) and made some rules as you can see:

" ~ $ sudo ufw status verbose
Status: active
Logging: on (full)
Default: deny (incoming), allow (outgoing)
New profiles: skip

To Action From
-- ------ ----
23 DENY IN 22
445 DENY IN Anywhere
139 DENY IN 139
139 DENY IN 137
135,139,445/tcp DENY IN Anywhere
137,138/udp DENY IN Anywhere
22 DENY IN Anywhere (log)"

And deny the same out.. So why does it say that 445, 139, 138 etc are open when i do a portscan?? Anyone have some idea?

Thank you for answering! I cant find anything in the log but iam not sure i can read the log at all :p The only thing i maybe found was some interface from an private ip adress.. But maybe me that are getting paranoid..

[eddyNOR]

And regarding the VPN it is OpenVPN with certifcate, i installed it with apt.. I have copied the files to the folder i should etc.. Cant understand why, specially since even the host cant help me..

[karlchen]

Hello, eddyNOR.

$ sudo ufw status verbose
Status: active
Logging: on (full)
Default: deny (incoming), allow (outgoing)
New profiles: skip

Apart from the fact that you turnt on fully detailled logging this is the same configuration as mine:
Allow all outgoing connections. UFW will permit you to open connections to any target on any port.
Deny any incoming connections. UFW will reject any attempt from other computers to open a connection on any port on your machine.

Therefore, the additonal rules

23 DENY IN 22
445 DENY IN Anywhere
139 DENY IN 139
139 DENY IN 137
135,139,445/tcp DENY IN Anywhere
137,138/udp DENY IN Anywhere
22 DENY IN Anywhere (log)

do not seem to make any difference from my point of view. They just confirm for a list of named ports what has been configured for all ports anyway: do not allow any incoming traffic.

So why does it say that 445, 139, 138 etc are open when i do a portscan??

Who shows open ports? And open in which direction? Remember UFW has been instructed to permit all outgoing connections on any port.

Which command did you use to find out open ports? Can you post the screen output of this programme so that it is possible to find out if any ports are open and if this is true for incoming or for outgoing connections?

Even if a commandline like

Code: Select all

netstat -a | grep tcp | grep LISTEN

displays a list of ports which your machine is listening on this does not mean that they can be contacted from the outside world, because UFW will intercept any request to connect to such a port from the outside world.

About the ufw.log:

iam not sure i can read the log at all

Hm. Why did you activate full logging then?

At least here, where UFW logging has been restricted to "low", it is pretty simple to find out whether anything passed UFW by.
UWF will log any blocked attempt to connect to the machine from outside and state "[UFW BLOCKED]". Therefore all lines which do not contain the string "UFW BLOCKED" might be worth checking:

Code: Select all

grep -v "UFW BLOCKED" /var/log/ufw.log

This command yields 0 hits here. I.e. here UFW blocks 100% of all attempts to connect to my machine from outside.
And note:
Most attempts of other machines to establish a connection to your machine may not even be evil. But UFW should block them all.

Provided you establish the connection to your internet provider directly from your machine, e.g. with the help of a DSL modem, you may check whether your machine can be contacted from outside and if so on which ports by performing several test here: www.grc.com => Shieldsup.
If your machine is connected to a DSL router and the router establishes the connection to the internet provider, performing the ShieldsUp test will not reveal how well your machine is protected, but how well your router protects you from attackers.

Kind regards,
Karl
--
Corrected / added:
Saturday, April 14th, 2012
Seems as if different versions of UFW use a slightly different string to state they have blocked an action.
UFW on Ubuntu 10.04.4 writes "[UFW BLOCKED]". UFW on Mint 12, however, writes "[UFW BLOCK]".
Therefore the commandline given above,

Code: Select all

grep -v "UFW BLOCKED" /var/log/ufw.log

will work on Ubuntu 10.04.4 and yield the expected result.
However, on Linux Mint 12 the commandline should actually read

Code: Select all

grep -v "UFW BLOCK" /var/log/ufw.log

in order to have the same effect.
Sorry, such things may happpen if you are logged on to Unbuntu 10.04.4 and explain what to do on Mint 12.

[DrHu]

Some browser actions might be able to get a port started because the browser config files(s) are set to allow it on
http://en.wikipedia.org/wiki/List_of_TC ... rt_numbers

39 TCP UDP Resource Location Protocol[7] (RLP)—used for determining the location of higher level services from hosts on a network

--one you mentioned, as well I think slp (Server location Protocol) could also attempt to open a port
http://en.wikipedia.org/wiki/Service_Location_Protocol

If you are concerned about security, you might want to consider whther or not you want to allow IPP (Internet Print Protocol), to allow oprinting to a local printer directly from the internet.
http://members.cruzio.com/~jeffl/sco/lp ... ervers.htm

You can also configure CUPS, for example to only allow your logged in account to print -->locally only..

Some media player protocols such as realplayer or applications such as skype have little difficulty activating ports, provided they exist..

UFW, Ubuntu..
https://help.ubuntu.com/community/UFW
Instead of DENY, I would probably use DROP for any ports I don't want running/open
--but maybe DENY is ok, it's just a matter of choice.

For port 139 (Netbios name resolution), if you have windows OS shares enabled, it could be a samba access is allowing that to be available
--you never need netbios name resolution on the internet, since dns and IP/host names are sufficient, and not all networks use Microsoft servers or want winbind or netbios or MS clients running nor need then, not even Microsoft to connect to the internet

Windows like Linux only really needs TCP connections to work..

And it looks like the port numbers you are blocking have mostly to do with windows services, mainly netbios

--such security concerns for the Linux side probably aren't that important, it doesn't use (unless for ease of sharing) any of those netbios or AD connections/clients

[eddyNOR]

About the ufw.log:

iam not sure i can read the log at all Hm. Why did you activate full logging then?

I activated full logging because i thinked if someone hacked me i at least have what happend on a log that i can get someone to translate if i dont understand

At least here, where UFW logging has been restricted to "low", it is pretty simple to find out whether anything passed UFW by.
UWF will log any blocked attempt to connect to the machine from outside and state "[UFW BLOCKED]". Therefore all lines which do not contain the string "UFW BLOCKED" might be worth checking:

Code: Select all

grep -v "UFW BLOCKED" /var/log/ufw.log

This command yields 0 hits here. I.e. here UFW blocks 100% of all attempts to connect to my machine from outside.
And note:
Most attempts of other machines to establish a connection to your machine may not even be evil. But UFW should block them all.

What is the different in what is beeing logged on the different steps? But i see your point:) (You think medium is ok? :p

you may check whether your machine can be contacted from outside and if so on which ports by performing several test here: www.grc.com => Shieldsup.

It found one red(Port 22 SSH remote login protocol) and one green(Port 646 LDP)

If your machine is connected to a DSL router and the router establishes the connection to the internet provider, performing the ShieldsUp test will not reveal how well your machine is protected, but how well your router protects you from attackers.

Kind regards,
Karl[/quote]

I used the portscanner at network tools to find the ports that where open, but since earlier i have uninstalled samba so i dont have the problems with the port 445 anymore. Now i just find ports open on a much higher number 30000++(And in what i can see that can be anything)

Thanks for your time, i at least understand more of it now:) And have a new portscanner page

[eddyNOR]

Some browser actions might be able to get a port started because the browser config files(s) are set to allow it on
http://en.wikipedia.org/wiki/List_of_TC ... rt_numbers

39 TCP UDP Resource Location Protocol[7] (RLP)—used for determining the location of higher level services from hosts on a network

--one you mentioned, as well I think slp (Server location Protocol) could also attempt to open a port
http://en.wikipedia.org/wiki/Service_Location_Protocol

If you are concerned about security, you might want to consider whther or not you want to allow IPP (Internet Print Protocol), to allow oprinting to a local printer directly from the internet.
http://members.cruzio.com/~jeffl/sco/lp ... ervers.htm

You can also configure CUPS, for example to only allow your logged in account to print -->locally only..

Some media player protocols such as realplayer or applications such as skype have little difficulty activating ports, provided they exist..

UFW, Ubuntu..
https://help.ubuntu.com/community/UFW
Instead of DENY, I would probably use DROP for any ports I don't want running/open
--but maybe DENY is ok, it's just a matter of choice.

For port 139 (Netbios name resolution), if you have windows OS shares enabled, it could be a samba access is allowing that to be available
--you never need netbios name resolution on the internet, since dns and IP/host names are sufficient, and not all networks use Microsoft servers or want winbind or netbios or MS clients running nor need then, not even Microsoft to connect to the internet

Windows like Linux only really needs TCP connections to work..

And it looks like the port numbers you are blocking have mostly to do with windows services, mainly netbios

--such security concerns for the Linux side probably aren't that important, it doesn't use (unless for ease of sharing) any of those netbios or AD connections/clients

I want to close everything that have with microsoft to do, but now i have uninstalled all apps i found that have anything with microsoft to do.. So i dont find any ports that have with ms to anymore..

But on the startup it is something weird i think,(It is a "config" or something) it said:

"
Recordfail
set gfxpayload=$linux_gfx_mode
insmod gzio
insmod part_msdos
insmod_ext2
set_root=(hd0,msdos7)
search --no-floppy --fs-uuid --set=root *****-*****-*****_******_******* ( *** = dont remember every number and letter, just random)
"

The part i dont understand is Insmod part_msdos and set_root=(msdos7) This is at the startup before loading Ubuntu/Mint if you understand what i mean.. It got me thinking..

[karlchen]

Hello, eddyNOR.

i at least understand more of it now

Without trying to be rude, so I really beg your pardon, yet, everything you write actually suggests that you don't.

Your thread is titled "Why does my firewall keep turning off?" - Yet, so far we have not seen any single substantial piece of evidence that this really happens.

You seem to be worried about your network security, which is good, but like any normal user who has not received any special training on networking you are at a loss what to look for and how to identify potential security holes, so you start to chase shadows.

The most efficient approach to get you out of this situation will be by finding a computer / network expert (friend, relative, co-worker) who has a closer look at your computer and your network and who will explain to you what is going on, if there are open security holes and how to fix them.

Trying to achieve this in this thread by a sequence of questions and answers will be extremely time consuming.

Kind regards,
Karl

[espressoguy]

And regarding the VPN it is OpenVPN with certifcate, i installed it with apt.. I have copied the files to the folder i should etc.. Cant understand why, specially since even the host cant help me..

Are you still not able to use openvpn? If not can you post your settings and whether or not your using network-manager?

[karlchen]

Hello, eddyNOR.

Let me repeat that I had no intention of being offensive by stating that you do not really understand what you are looking for when looking at your network and that you do not really understand what you see when you use various network utilities like for example the portscan utility inside Network Diagnostics. No-one was born a network expert. And I would not even pretend being a network expert after working in IT for more than 20 years. IT is simply too complex to be an expert in all areas. And as most people whom I know and who use computers are not even workig in IT, I know that they are simply lost if they face a problem affecting their computer, because they have never received any IT training at all. Even more: on the one hand, they are likely to ignore problems which do exist and which do get logged in the logfiles. On the other hand, they are likely to see problems where there are none.

So far we have failed to clear up which problem you are facing and what needs to be done to solve it. Actually we have even failed to make sure that the main problem that you reported "Why does my firewall keep turning off?" really exists. Therefore personally I have deliberately ignored the second problem which you reported "And my vpn not work?" The two problems might be related. But chances are that they are totally unrelated. Therefore trying to clear up two problems in a single thread will be inifficient at best, prevent any of the two problems form being analyzed and solved in the worst case.

Hence I would like to suggest the following approach:

• Let us start all over again from the scratch ignoring (almost) anything that has been discussed so far.
• Let us split the two problems "Why does my firewall keep turning off? And my vpn not work?" into two separate threads. - Ideally, you will simply open a new thread asking "[Mint 12] Why does my vpn not work?" - Or if you absolutely refuse to do so, let us clearup the question "Why does my firewall keep turning off?" first and only once this has been done address the second question "Why does my vpn not work?" - Else this thread will easily end in a mess.

Kind regards,
Karl

[karlchen]

Hello, eddyNOR.

I have a fresh installation of Mint 12(Lisa)

I will be running my Linux Mint 12 "Lisa" as well when answering here. Yet, i am using a localized German version. As a consequence, I will have to translate back to English some of the localized names which I see. And my translation back to English may not always give exactly the same term which is used by the genuine English version. Sorry for any confusion this may cause.

Why does my firewall keep turning off?

Can you please provide detailled pieces of information which prove that your firewall keeps turning off?

• In order to do so you will have to go through the logfiles /var/log/ufw.log and /var/log/syslog. In case you need help interpreting the two files and in identifying lines which are about your firewall UFW (uncomplicated firewall), please, upload the two files for inspection.
• You can also check whether the UFW process is still loaded by executing the command

  Code: Select all

  sudo ufw status

  or

  Code: Select all

  sudo ufw status verbose

And i took a port scan an a lot of ports where open

If you use the portscan which the programme gnome-nettool (Mint Menu => Others => Network Diagnostics) offers and use it to check your own machine (IP address 127.0.0.1) you may see a list of ports which your machine is listening on. The fact that these ports are open does not automatically imply that other computers can connect to these ports. External access to theses ports may be blocked by UFW.
(We have already verified that your UFW has been instructed to block any incoming traffic.)
Using the port-scan tab inside gnome-nettool and telling gnome-nettool to scan 127.0.0.1 for open ports will generate the same output as executing this commandline

Code: Select all

netstat -an | grep tcp

Run on my machine this will yield this output

Code: Select all

karl@unimatrix0 ~ $ netstat -an | grep tcp
tcp        0      0 0.0.0.0:139             0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:445             0.0.0.0:*               LISTEN     
tcp6       0      0 ::1:631                 :::*                    LISTEN     
karl@unimatrix0 ~ $

As the screen output above reveals Mint 12 is listening on 4 different ports.

• Does this mean that other computers can connect to these ports on my machine? => It could mean so, provided there is no guardian preventing other computers from accessing these ports from outside.
• Does this mean that UFW is failing partially or totally or that it has been switched off? => It is not possible to tell from the output of "netscan -an | grep tcp" or from the output of gnome-nettool => port-scan.

This is where we need to check whether our guardian UFW is doing its job by executing the commandline

Code: Select all

sudo ufw status verbose

So here is the result for my Linux Mint 12 "Lisa":

Code: Select all

karl@unimatrix0 ~ $ sudo ufw status verbose
[sudo] password for karl:
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing)
New Profile: skip
karl@unimatrix0 ~ $

UFW is active and it denies any incoming requests to connect to my machine, no matter which port number is given. Therefore the fact that the internal port-scan revealed 4 ports on which "Lisa" is listening does not imply that other computers will be able to connect to these ports from outside. UFW simply denies them any access.

But i can see it is turned off again today.

What exactly is that tells you that your UFW has been turnt off today (or the day before yesterday by now)? The port-scan results alone cannot answer this question as has been explained above.

A first hint would be that the command

Code: Select all

sudo ufw status

does not return the state "active". Other hints might be found by inspecting the logfiles /var/log/ufw.log and /var/log/syslog.
A pretty reliable way of finding out whether other computers inside your own network can connect to the open ports would be by going to another computer in your own network and try to connect to those ports which your machine is listening on.
This brings us to the question:
What is your own network? Is there a local network at all? To which network is your computer connected? - I will deliberately postpone these questions for the moment and come back to them later if need be. (Need will be.)

i know i where hacked some weeks ago on a windows computer and i dont want that to happen again..

Well, this is clearly understandable. Yet, how is your Linux Mint 12 machine related to the Windows machine which was hacked? They are two separate machines, aren't they?

So in order to find out whether the problem/risk which you are worried about, i.e. that UFW does not reliably protect your "Lisa" against attacks from outside or even not at all, really exists, it will be really helpful if you provide substantial pieces of evidence that UFW really malfunctions with the help of:

• the commands

  Code: Select all

  sudo ufw status
sudo ufw status verbose

• entries from the logfiles /var/log/ufw.log and/or /var/log/syslog
• Of course, you may also use a programme like e.g. Net Active Viewer which can monitor and display network connections and post a screenshot here which illustrates that an external machine has successfully connected to your "Lisa".
  (The installation package netactview_0.6.1-1_i386.deb works fine here on Linux Mint 12 "Lisa" 32-bit. In case you are running a 64-bit "Lisa", you will have to use the netactview_0.6.1-1_amd64.deb instead.)

Kind regards,
Karl
--
P.S.:
The snapshot saved with the help of Net Active View might look like this e.g.:

Code: Select all

Protocol   Local Address : Local Port   State   Remote Address : Remote Port   Remote Host   Local Host   Pid   Program   Command
---------------------------------------------------------------------------------------------------------------------------------

2012-04-15  16:23:37
---------------------
tcp           127.0.0.1 : 25      LISTEN                      * : *      .                      `  `  `   `
tcp           127.0.0.1 : 631     LISTEN                      * : *      .                      `  `  `   `
tcp                   * : 139     LISTEN                      * : *      .                      `  `  `   `
tcp                   * : 445     LISTEN                      * : *      .                      `  `  `   `
tcp      192.168.178.25 : 35087   TIME_WAIT      173.194.65.113 : 80     ee-in-f113.1e100.net   `  4510  opera   /usr/lib/opera/opera http://netactview.sourceforge.net
tcp6                ::1 : 631     LISTEN                      * : *      .                      `  `  `   `
udp                   * : 68                                  * : *      .                      `  `  `   `
udp                   * : 5353                                * : *      .                      `  `  `   `
udp                   * : 36075                               * : *      .                      `  `  `   `
udp     192.168.178.255 : 137                                 * : *      .                      `  `  `   `
udp      192.168.178.25 : 137                                 * : *      .                      `  `  `   `
udp                   * : 137                                 * : *      .                      `  `  `   `
udp     192.168.178.255 : 138                                 * : *      .                      `  `  `   `
udp      192.168.178.25 : 138                                 * : *      .                      `  `  `   `
udp                   * : 138                                 * : *      .                      `  `  `   `
udp6                  * : 42544                               * : *      .                      `  `  `   `
udp6                  * : 5353                                * : *      .                      `  `  `   `

No, there is no hint in this snapshot that an external machine has connected to my machine.

[eddyNOR]

Hi Karl, and thank you for your answers! I appreciate that! I will answer short today since i have to go to bed, and take it tommorrow.

But the first reason i tought/or did see my ufw was off was when i used the grapihical interface for the firewall(firewall configuration) And when i opened it again it was turned off(though i didnt use the terminal to determine if it really was of) Then i tried a portscan an did see all the ports open, and since im a little paranoid from the last attack i thinked maybe it was an attack and posted the post here very fast.

And i havent had a problem with the firewall anymore as i can see. Now it have been some other issues(suddenly it uploads 30-40mb/s)

I dont think you where offensice just honest!(But what i meant with understand more now was i understand more how i can see if something really is wrong, but i still cant see it for sure ofcourse, but just some simple commands are more than before if you understand )

I really havent had time to read the log yet, but i will post as soon i have done it and upload it if it isnt to big or if it is nothing to see. In the meanwhile i will upload some strange screenshots of what happend 2-3 times(One of the times my screen whent black in 4-5sec before it happend)

And i agree with not mixing the firewall and the vpn, i just wanted to connect to my vpn to "protect" the computer a bit more..

I really have to go to bed but i upload the screenshots for you to see.

Thank you for taking time with helping me, i will try finding out the answer of the rest of the "questions" until tomorrow. Thanks again

By the way, i got my vpn to work with changing the nameservers in resolv.conf to my vpn hosts.. But i have to do it everythime i log in.. Cant get it to work with network manager.. But thats not the problem!

[karlchen]

Good evening, EddyNOR.

First things first: I am glad you that you did not feel offended and posted back.

(1) UFW vs. GUFW

the first reason i tought/or did see my ufw was off was when i used the grapihical interface for the firewall(firewall configuration)

Could the reason simply be a minor handling issue of GUFW (graphic uncomplicted firewall) which irritate me as well when using it for the first time?
In order to use UFW as well as GUFW you have to prefix "sudo " to the commandline. Hm, in case of GUFW, it is more likely you will launch it using the menu, which in turn will execute something like

Code: Select all

gksu gufw

.
When you launch

Code: Select all

sudo ufw status verbose

you will be prompted to enter your password. Then UFW will simply display its status.
When you launch

Code: Select all

gksu gufw

you will be prompted to enter your password. Then GUFW will display its application window. But everything will still be grayed out, intriguing you into believing ufw might not be activated.

GUFW UI locked

GUFW_UI_locked.png (22.14 KiB) Viewed 983 times

Inside GUFW you have to click on the yellow lock in the lower righthand corner in order to unlock the interface. Once you klick there GUFW will display the current status of UFW.

GUFW UI unlocked

GUFW_UI_unlocked.png (24.03 KiB) Viewed 983 times

i havent had a problem with the firewall anymore as i can see

Great. Hope UFW will continue doing its job properly in the future as well.


(2) Mysterious upload process

Now it have been some other issues(suddenly it uploads 30-40mb/s)

The Gnome System Monitor screenshots are fine. System-Monitor is a pretty useful utility which I use a lot, also in order to monitor upload and download speed. Yet, the drawback to System Monitor is that it cannot tell you which process is uploading or downloading to the network / to the internet.
In order to find out the process name which is relevant in order to determine whether you should be worried or not, the little programme which I mentioned in my previous post is really handy: Net Active Viewer. Under "View" it can easily be persuaded to display the commandline for each open connection (incoming and outgoing).
In your case, where your machine uploads data somewhere, so outgoing data, it might be particularly helpful to learn which process initiated the connection.

Just a wild guess: Could it be that you are using something like Ubuntu One and configured it to perform a synchronization in regular intervals?


(3) VPN connection

i got my vpn to work with changing the nameservers in resolv.conf to my vpn hosts. But i have to do it everythime i log in.. Cant get it to work with network manager

First, great that you solved the problem. Second, not quite to sgreat that you have to correct the /etc/resolv.conf file every time manually.
I am not quite sure whether this remaining issue is caused by Network Manager. I simply do not know. All I experienced my self from time to time that /etc/resolv.conf can hold inappropriate data or none at all if you switch between network configurations and some of them are handled by Network Manager, but some are not.

Kind regards,
Karl