The iptables -S command shows the OUTPUT -j ACCEPT rule.
Is this correct or error?
I think this is a serious mistake because it opens all outgoing traffic from the virtual machine, not just to the Whonix Gateway …
Whonix Workstation version 22.214.171.124.9 on Virtualbox.
and if applicable, please write a bug report
I don’t use Google services (captcha), so I can’t create an account on Phabricator.
May I ask you for help here?
Until your patch is made, I can delete this rule with the iptables -D OUTPUT -j ACCEPT command.
But I have a question, how to make change permanent? (after restart).
Installing iptables-persistent and the netfilter-persistent save command has broken something on WW
My previous post doesn’t imply you need to use phabricator. You can post here. Proper bug report required. Please read these links above.
I don’t see any problem with that. See also:
When disagreed the only option is to demonstrate an actual leak and/or to suggest a patch that doesn’t break things. Reasons:
Maybe I don’t understand the principle of the firewall in WW.
It just seemed to me that all the other rules on the list below OUTPUT -j ACCEPT are unnecessary and do nothing useful.
I was afraid that this is a very general rule that allows everything
So it is not possible to leak from WW directly to the host (clearnet) bypassing WG because of this permitting rule?
I’m too thin to write a patch;)
Of course, I’m not undermining the great work of you and the whole team!
I will donate soon…
Whonix-Workstation firewall isn’t the best invention of Whonix.
- see https://github.com/Whonix/whonix-firewall/blob/master/usr/bin/whonix-workstation-firewall
- On top of what https://github.com/Whonix/whonix-firewall/blob/master/man/whonix_firewall.8.ronn#whonix-workstation-firewall-design-notes describes
- it doesn’t allow firewall rules in state
- and blocks invalid packages
- tunnel firewall feature
- Optional iptables block network access until sdwdate succeeded and one day default feature.
Leak protection doesn’t rely on Whonix-Workstation firewall. Earlier Whonix versions didn’t have a Whonix-Workstation firewall.