nyxnor
September 23, 2022, 10:11pm
1
For me todo later if accepted.
on the respective /usr/bin/whonix-TYPE-firewall
print_ports(){
printf '%s\n' "INTERNAL_OPEN_PORTS=\"${INTERNAL_OPEN_PORTS[@]}\""
printf '%s\n' "EXTERNAL_OPEN_PORTS=\"${EXTERNAL_OPEN_PORTS[@]}\""
}
end() {
output_cmd "OK: Whonix firewall loaded."
print_ports
exit 0
}
Good? Can be default? I think it is very useful.
1 Like
Patrick
September 24, 2022, 9:45am
2
Generally I am open the the idea. Seems useful.
/usr/bin/whonix-TYPE-firewall --ports
Or --info
instead?
Worried user questions which will be caused by this if too verbose by default:
Is it normal that INTERNAL_OPEN_PORTS xx is open?
Is my connection broken because there are no EXTERNAL_OPEN_PORTS, should I add some?
Output of Whonix firewall is also integrated in sdwdate-log-viewer because of ⚓ T533 iptables block network access until sdwdate succeeded and that would be confusing.
nyxnor
September 26, 2022, 1:58pm
4
Can you point where are INTERNAL_OPEN_PORTS being opened in whonix-workstation-firewall
, I didn’t find it.
#!/bin/bash
## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
#### meta start
#### project Whonix
#### category networking and firewall
#### description
## firewall script
#### meta end
## NOTE: If you make changes to this firewall, think about, if it would
## make sense to add the changes to Whonix-Gateway script as well.
## Some things like dropping invalid packages, should be shared.
## TODO:
## - Should allow unlimited TCP/UDP/IPv6 traffic on the virtual external interface (OnionCat / OpenVPN).
## source for some rules:
This file has been truncated. show original
nyxnor
September 26, 2022, 3:23pm
7
You sure?
if [ "$firewall_mode" = "timesync-fail-closed" ]; then
local socks_port_item
for socks_port_item in $INTERNAL_OPEN_PORTS; do
It is only called if firewall_mode=timesync-fail-closed
1 Like
Patrick
September 26, 2022, 3:26pm
9
Added some comments inline on github.
1 Like
Patrick
September 26, 2022, 3:39pm
10
My mistake. Now understand your question.
Nowhere. It’s not needed. If it’s not rejected, it’s permitted by default.
There isn’t “much” filtering in the output chain (function ipv4_output
) when firewall_mode=full
.
Hard to find any actually…
UDP is blocked, which is more of a usability feature.
optional outgoing_allow_ip_list
The whole ipv4_output
function looks overly lengthy and complicated due to timesync-fail-closed
firewall mode and TUNNEL_FIREWALL_ENABLE
mode. For a different topics,
1 Like