Hi
The iptables -S command shows the OUTPUT -j ACCEPT rule.
Is this correct or error?
I think this is a serious mistake because it opens all outgoing traffic from the virtual machine, not just to the Whonix Gateway …
Whonix Workstation version 15.0.0.8.9 on Virtualbox.
Best Regards!
Please see:
and if applicable, please write a bug report
I don’t use Google services (captcha), so I can’t create an account on Phabricator.
May I ask you for help here?
Please
Edit:
Until your patch is made, I can delete this rule with the iptables -D OUTPUT -j ACCEPT command.
But I have a question, how to make change permanent? (after restart).
Installing iptables-persistent and the netfilter-persistent save command has broken something on WW
My previous post doesn’t imply you need to use phabricator. You can post here. Proper bug report required. Please read these links above.
I don’t see any problem with that. See also:
whonix-firewall/whonix_firewall.8.ronn at master · Whonix/whonix-firewall · GitHub
When disagreed the only option is to demonstrate an actual leak and/or to suggest a patch that doesn’t break things. Reasons:
- Bug Reports, Software Development and Feature Requests
- Bug Reports, Software Development and Feature Requests
Unsupported.
Maybe I don’t understand the principle of the firewall in WW.
It just seemed to me that all the other rules on the list below OUTPUT -j ACCEPT are unnecessary and do nothing useful.
I was afraid that this is a very general rule that allows everything
So it is not possible to leak from WW directly to the host (clearnet) bypassing WG because of this permitting rule?
I’m too thin to write a patch;)
Of course, I’m not undermining the great work of you and the whole team!
I will donate soon…
Whonix-Workstation firewall isn’t the best invention of Whonix.
- see whonix-firewall/whonix-workstation-firewall at master · Whonix/whonix-firewall · GitHub
- On top of what whonix-firewall/whonix_firewall.8.ronn at master · Whonix/whonix-firewall · GitHub describes
- it doesn’t allow firewall rules in state
ESTABLISHED
- and blocks invalid packages
- tunnel firewall feature
- Optional iptables block network access until sdwdate succeeded and one day default feature.
Leak protection doesn’t rely on Whonix-Workstation firewall. Earlier Whonix versions didn’t have a Whonix-Workstation firewall.