integrate whonix-firewall-plugin.sh into whonix-gw-firewall

phabricator-migrator · February 19, 2024, 5:48pm

Information

ID: 395
PHID: PHID-TASK-3w5d42fz5y3omduoxrzd
Author: Patrick
Status at Migration Time: resolved
Priority at Migration Time: Normal

Description

During cleanup / refactoring of the qubes-whonix package, I was wondering…

For #Whonix_12, I intent to move
https://github.com/adrelanos/qubes-whonix/blob/master/usr/lib/qubes-whonix/init/whonix-firewall-plugin.sh
directly into
https://github.com/Whonix/whonix-gw-firewall/blob/master/usr/bin/whonix_firewall

Is there any reason against that?

Then the GATEWAY_IPv4_DROP_INVALID_INCOMING_PACKAGES_POST_HOOK (https://github.com/adrelanos/qubes-whonix/blob/master/etc/whonix_firewall.d/40_qubes) could be deprecated.

I would find that easier to grasp and maintain. From perspective of upgrading packages, time required for that, nothing would change.

@nrgaway

Comments

nrgaway

2015-08-12 08:50:16 UTC

It would be nice to eliminate anything that is not Qubes specific in qubes-whonix pacakge completely, or as much as possible. Anything you can take out of it by intergrating into Whonix would be a good thing.

I also think template-whonix should be replaced by Whonix in two stages.

Stage 1:
Merge template-whonix into Whonix; directory structure can easily be re-worked for template-whonix
Include qubes-whonix package in your packages

Stage 2:
qubes-builder could then build the Whonix pacakges in the build stage (make qubes-vm) and they would then be available to install in the build-template stage (make template) thus allowing for a fully integrated Whonix build. This involves adding the Whonix packages to COMPONENTS in the builder.conf file in template-whonix and then they will be downloaded to qubes-src directory

Patrick

2015-08-12 13:45:22 UTC

Stage 1 sounds good.

Not sure about Stage 2. Building all packages in the (jessie) chroot so build dependencies are not installed within the image would be nice. No idea how much work that would be. qubes-builder would have to be modified to be able to build Whonix’s packages. (With dynamic replace of debian/rules hack - building the same packages using two different ways is inviting trouble.) qubes-builder could even build those packages using genmkfile - since genmkfile is usable without installing it on the build machine. (Thanks to environment variable GENMKFILE_PATH.)

Anyhow. Implemented this ticket.

integrated Qubes-Whonix firewall rules (only load when run in Qubes) so those can be removed from the qubes-whonix package, deprecated GATEWAY_IPv4_DROP_INVALID_INCOMING_PACKAGES_POST_HOOK - https://phabricator.whonix.org/T395:
https://github.com/Whonix/whonix-gw-firewall/commit/e0b5d9e2e9d60c634b48584961c7493adc517ead

merged whonix-firewall-plugin.sh into whonix-gw-firewall - https://phabricator.whonix.org/T395:
merged whonix-firewall-plugin.sh into whonix-gw-firewall - https://ph… · adrelanos/qubes-whonix@d0ff132 · GitHub

integrated Qubes-Whonix firewall rules (only load when run in Qubes) so those can be removed from the qubes-whonix package, deprecated GATEWAY_IPv4_DROP_INVALID_INCOMING_PACKAGES_POST_HOOK - https://phabricator.whonix.org/T395 :
https://github.com/Whonix/whonix-gw-firewall/commit/e0b5d9e2e9d60c634b48584961c7493adc517ead

refactoring Qubes firewall rules, 'export' for variables INT_IF and INT_TIF not required, therefore removed:
https://github.com/Whonix/whonix-gw-firewall/commit/a88586071ba4026fdb3b025c393ff9a8d7dba355

whonix-gw-firewall: refactoring, set INT_IF and INT_TIF for Qubes earlier (below the regular setting of these variables):
https://github.com/Whonix/whonix-gw-firewall/commit/907f999c9ddc6d9b7bec9eb04c8a5f503cd87c2f