Whonix Wiki Download Docs News Support Tips Issues Contribute DONATE

print ports opened in the firewall.

For me todo later if accepted.

on the respective /usr/bin/whonix-TYPE-firewall


end() {
   output_cmd "OK: Whonix firewall loaded."
   exit 0

Good? Can be default? I think it is very useful.

1 Like

Generally I am open the the idea. Seems useful.

/usr/bin/whonix-TYPE-firewall --ports

Or --info instead?

Worried user questions which will be caused by this if too verbose by default:

  • Is it normal that INTERNAL_OPEN_PORTS xx is open?
  • Is my connection broken because there are no EXTERNAL_OPEN_PORTS, should I add some?

Output of Whonix firewall is also integrated in sdwdate-log-viewer because of ⚓ T533 iptables block network access until sdwdate succeeded and that would be confusing.


got it

on my todo

1 Like

Can you point where are INTERNAL_OPEN_PORTS being opened in whonix-workstation-firewall, I didn’t find it.

1 Like

You sure?

   if [ "$firewall_mode" = "timesync-fail-closed" ]; then
                  local socks_port_item
                  for socks_port_item in $INTERNAL_OPEN_PORTS; do

It is only called if firewall_mode=timesync-fail-closed

1 Like

and it is rejecting

1 Like

Added some comments inline on github.

1 Like

My mistake. Now understand your question.

Nowhere. It’s not needed. If it’s not rejected, it’s permitted by default.

There isn’t “much” filtering in the output chain (function ipv4_output) when firewall_mode=full.

The whole ipv4_output function looks overly lengthy and complicated due to timesync-fail-closed firewall mode and TUNNEL_FIREWALL_ENABLE mode. For a different topics,

1 Like

This was merged.