iptables in Workstation have a serious leak?

Support
1

Hi
The iptables -S command shows the OUTPUT -j ACCEPT rule.
Is this correct or error?
I think this is a serious mistake because it opens all outgoing traffic from the virtual machine, not just to the Whonix Gateway …
Whonix Workstation version 15.0.0.8.9 on Virtualbox.
Best Regards!

2

Please see:

and if applicable, please write a bug report

Bug Reports, Software Development and Feature Requests

3

I don’t use Google services (captcha), so I can’t create an account on Phabricator.
May I ask you for help here?
Please :wink:

Edit:
Until your patch is made, I can delete this rule with the iptables -D OUTPUT -j ACCEPT command.
But I have a question, how to make change permanent? (after restart).
Installing iptables-persistent and the netfilter-persistent save command has broken something on WW :frowning:

4

My previous post doesn’t imply you need to use phabricator. You can post here. Proper bug report required. Please read these links above.

5

I don’t see any problem with that. See also:

whonix-firewall/man/whonix_firewall.8.ronn at master · Whonix/whonix-firewall · GitHub

When disagreed the only option is to demonstrate an actual leak and/or to suggest a patch that doesn’t break things. Reasons:

Unsupported.

6

Maybe I don’t understand the principle of the firewall in WW.
It just seemed to me that all the other rules on the list below OUTPUT -j ACCEPT are unnecessary and do nothing useful.
I was afraid that this is a very general rule that allows everything

So it is not possible to leak from WW directly to the host (clearnet) bypassing WG because of this permitting rule?

I’m too thin to write a patch;)

Of course, I’m not undermining the great work of you and the whole team!
I will donate soon…

7

Whonix-Workstation firewall isn’t the best invention of Whonix.

Leak protection doesn’t rely on Whonix-Workstation firewall. Earlier Whonix versions didn’t have a Whonix-Workstation firewall.