Firewall,Tor Traffic (open ports)

vID · 2016-02-08 19:54:18 UTC

Hello dear Whonix,good wishes with past New Year and Christmas holidays !!!

Now closely to the point,how to open some ports on gateway,if i right workstation also have firewall but it just default.
I have 12.0.0.3.2-developers-only version and even svn cant use,because of some closed port (s) it use,also pidgin only works with 10.152.152.10 9101 socks5 settings,but problem is i cant connect to any contacts,maybe because of unsupporting exacly tor traffic?

Need to open openvpn 1194 and maybe 80,443 ports.
I know tor traffic goes only throuht tcp protocol with only 9050 port opened in workstation (scanned with nmap on 127.0.0.1) guess like in gateway.

So im interested more in traffic,exactly tor traffic to use anonymously with different tools supporting irc,xmpp,mail,vpn,svn.Sure learning wiki,forum,other info about iptables,but no much about advanced like traffic,this thread informative but not much

Saying what about mixed traffic on W. with openvpn and such other questions.

Many thanks

entr0py · 2016-02-08 23:53:03 UTC

[quote=“vID, post:1, topic:2079, full:true”]if i right workstation also have firewall but it just default.
[/quote]

Workstation is firewalled (by the Gateway) but its built-in firewall is disabled by default. See: https://www.whonix.org/wiki/Whonix-Workstation_Firewall

I can’t answer for SVN, but Pidgin and OpenVPN (client) work without modifying Whonix’s firewall. If you are having trouble with those two, it is unrelated to the firewall. More info here: https://www.whonix.org/wiki/Install_Software#Whonix-Workstation_is_firewalled

TCP, yes. I actually don’t know what the source ports are in Workstation (maybe identical to destination ports on the Gateway?) In any case, traffic is routed through several dozen ports on the Gateway so that Gateway can route each stream through a separate Tor circuit. Stream Isolation. See in Gateway: /usr/share/tor/tor-service-defaults-torrc for all the ports in use.

Whonix is designed to route ALL of your traffic over Tor. iptables do not need to be modified to achieve that. It sounds like you are interested in using client applications, which should just work.

vID · 2016-02-09 07:02:21 UTC

entr0py thanks for reply,but you use just main phrases,nothing specific on HOW TO OPEN exactly needed gateway ports.For example do you ever tried to connect on W. to irc server which in not default ports use (6667 or 6697),or I2P for properly work it needs to open router port for inbound traffic (not so safetely,as with closed) but more workable (random 12345 port).And there is a lot of ways apps uses.

Also there is 1 and 0 entries in G. firewall,is it like Firefox about:config’s settings? 1 means true-yes,0 means false-no.Is this configs are default iptables settings or its properly build for Gateway by Whonix Team?Where can i read more about this settings,i check wiki already.

Patrick · 2016-02-09 15:22:00 UTC

Connecting to non-default ports with client connections such as irc servers on port 7000 (freenode ssl) etc. just works out of the box. No need to open any ports. If you want so those outgoing ports are already opened.

As for opening incoming ports, this strictly speaking unsupported by Tor. In usual anonymous / Tor work flows, opening ports in your local physical home router device and forwarding them to Whonix-Workstation usually neither recommended nor required. There are several workarounds for getting incoming sever connections working, see:

I2P in Whonix-Workstation works, see the dedicated documentation page:

Also there is 1 and 0 entries in G. firewall,is it like Firefox about:config’s settings? 1 means true-yes,0 means false-no.

It’s documented in the comments above each entry which setting means what.

Is this configs are default iptables settings or its properly build for Gateway by Whonix Team?Where can i read more about this settings,i check wiki already.

https://github.com/Whonix/whonix-gw-firewall is maintained by Whonix. Settings are documented in the comments above the firewall settings file.

/etc/whonix_firewall.d/30_default.conf
https://github.com/Whonix/whonix-gw-firewall/blob/master/etc/whonix_firewall.d/30_default.conf

Also for doing specific tasks, there are instructions in the Whonix documentation that reference to change Whonix firewall settings.

https://www.whonix.org/w/index.php?search=whonix_firewall&fulltext=Search

vID · 2016-02-09 17:29:13 UTC

Patrick thanks,i read this info,but still its main,the question is open how can i enable some needed ports?

Is this info private or smt? Remember there was a thread on old forum about gateway customization like in shell and OP posted settings for G. to enable torchat and bitcoin (or electrum) ports open on W,cant find this thread now.

I need working Bitmask VPN,but it fails with closed ports on W.Im interested to test,learn some traffic movements,not just default use custom build.

Thanks

Patrick · 2016-02-09 20:31:32 UTC

It’s not private at all. Nothing is. All sources are Free/Libre Software / Open Source.

What you’re asking just doesn’t make sense. As already explained in the above posts, there really is no need to open ports as it will just work. I would only repeat myself.

Adding additional Tor SocksPorts as per stream isolation Whonix wiki pages makes only sense in a different context. If you run outside of pre-configured custom-ports for stream isolation, then it might make sense to add more. But then you should also consider to use multiple Whonix-Workstations. So this is such a minor topic and totally unrelated here.

If something fails it’s very most likely not due to “closed” ports. It could be a different issue. Such as UDP - see: https://www.whonix.org/wiki/Tor#UDP
Or the service may not accept connections from the Tor network [for spam prevention reasons]. Or it could be configuration issues.

Ask yourself if you are so special that you are the first one ever using Whonix who urgently requires to open ports and this never came up before and everyone else was happy as is.

vID · 2016-02-10 15:20:39 UTC

Yes all sources open (have 12.0.0.3.2-developers-only),im not special and not the first who interested in such modifications,saying,what if i want to build my own G. and W. but on Gentoo,everything from sources (manual configs,settings) you know how its going,i do not try to build gateway yet,but will soon

Patrick its really easier to install Gentoo,than learn how Whonix firewall works )))))
I think need just to learn more and ok.

And the last,there was Whonix on Gentoo porting project,will it come back? What is needed (contributors,funding) and so on?

Patrick · 2016-02-10 17:00:06 UTC

CLARK:

And the last,there was Whonix on Gentoo porting project,will it come back?

Very unlikely.

What is needed (contributors,funding) and so on?

Everything. A maintainer working very independently on it while
generating less rather than more work on my side.

vID · 2016-02-10 21:01:21 UTC

Thanks

Patrick · 2016-11-04 16:48:42 UTC

Patrick · 2017-02-06 19:52:51 UTC

See:
https://forums.whonix.org/t/bitmask