print ports opened in the firewall.

nyxnor · September 23, 2022, 10:11pm

For me todo later if accepted.

on the respective /usr/bin/whonix-TYPE-firewall

print_ports(){
  printf '%s\n' "INTERNAL_OPEN_PORTS=\"${INTERNAL_OPEN_PORTS[@]}\""
  printf '%s\n' "EXTERNAL_OPEN_PORTS=\"${EXTERNAL_OPEN_PORTS[@]}\""
}


end() {
   output_cmd "OK: Whonix firewall loaded."
   print_ports
   exit 0
}

Good? Can be default? I think it is very useful.

Patrick · September 24, 2022, 9:45am

Generally I am open the the idea. Seems useful.

/usr/bin/whonix-TYPE-firewall --ports

Or --info instead?

Worried user questions which will be caused by this if too verbose by default:

Is it normal that INTERNAL_OPEN_PORTS xx is open?
Is my connection broken because there are no EXTERNAL_OPEN_PORTS, should I add some?

Output of Whonix firewall is also integrated in sdwdate-log-viewer because of ⚓ T533 iptables block network access until sdwdate succeeded and that would be confusing.

nyxnor · September 24, 2022, 9:58am

yes.

got it

on my todo

nyxnor · September 26, 2022, 1:58pm

Can you point where are INTERNAL_OPEN_PORTS being opened in whonix-workstation-firewall, I didn’t find it.

github.com

Whonix/whonix-firewall/blob/master/usr/bin/whonix-workstation-firewall

#!/bin/bash

## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.

#### meta start
#### project Whonix
#### category networking and firewall
#### description
## firewall script
#### meta end

## NOTE: If you make changes to this firewall, think about, if it would
##       make sense to add the changes to Whonix-Gateway script as well.
##       Some things like dropping invalid packages, should be shared.

## TODO:
## - Should allow unlimited TCP/UDP/IPv6 traffic on the virtual external interface (OnionCat / OpenVPN).

## source for some rules:

This file has been truncated. show original

nyxnor · September 26, 2022, 2:33pm

Patrick · September 26, 2022, 3:10pm

github.com

Whonix/whonix-firewall/blob/master/usr/bin/whonix-workstation-firewall#L368


      
              output_cmd "OK: Torified Qubes Updates Proxy check ok. Full access to Qubes Updates Proxy."
              return 0
            fi
          
            output_cmd "OK: Torified Qubes Updates Proxy check not done yet. Limiting access to Qubes Updates Proxy to user 'updatesproxycheck'."
          
            $iptables_cmd -A OUTPUT -m owner --uid-owner "$UPDATESPROXYCHECK_USER" -m iprange --dst-range "127.0.0.1" -p tcp --dport "$qubes_updates_proxy_port" -j ACCEPT
            $iptables_cmd -A OUTPUT -m owner --uid-owner "$UPDATESPROXYCHECK_USER" -m iprange --dst-range "10.137.255.254" -p tcp --dport "$qubes_updates_proxy_port" -j ACCEPT
          
            $iptables_cmd -A OUTPUT -m iprange --dst-range "127.0.0.1" -p tcp --dport "$qubes_updates_proxy_port" -j REJECT --reject-with icmp-admin-prohibited
            $iptables_cmd -A OUTPUT -m iprange --dst-range "10.137.255.254" -p tcp --dport "$qubes_updates_proxy_port" -j REJECT --reject-with icmp-admin-prohibited
          }
          
          ipv4_output() {
            ## Prevent connections to Tor SocksPorts.
            ## https://phabricator.whonix.org/T533#11025
            if [ "$firewall_mode" = "timesync-fail-closed" ]; then
              local socks_port_item
              output_cmd "INFO: not opening Internal TCP ports ${INTERNAL_OPEN_PORTS}, except 9108 for sdwdate, because firewall_mode=$firewall_mode"
              for socks_port_item in $INTERNAL_OPEN_PORTS; do
                true "socks_port_item: $socks_port_item"

nyxnor · September 26, 2022, 3:23pm

You sure?

   if [ "$firewall_mode" = "timesync-fail-closed" ]; then
                  local socks_port_item
                  for socks_port_item in $INTERNAL_OPEN_PORTS; do

It is only called if firewall_mode=timesync-fail-closed

nyxnor · September 26, 2022, 3:25pm

and it is rejecting

Patrick · September 26, 2022, 3:26pm

Added some comments inline on github.

Patrick · September 26, 2022, 3:39pm

My mistake. Now understand your question.

Nowhere. It’s not needed. If it’s not rejected, it’s permitted by default.

There isn’t “much” filtering in the output chain (function ipv4_output) when firewall_mode=full.

Hard to find any actually…
UDP is blocked, which is more of a usability feature.
- https://www.whonix.org/wiki/Tor#UDP
optional outgoing_allow_ip_list

The whole ipv4_output function looks overly lengthy and complicated due to timesync-fail-closed firewall mode and TUNNEL_FIREWALL_ENABLE mode. For a different topics,

could consider to deprecate TUNNEL_FIREWALL_ENABLE mode (sorry Tor + VPN + Tor users).
Somehow implement timesync-fail-closed more elegantly.
- ⚓ T533 iptables block network access until sdwdate succeeded
⚓ T509 Consider nftables / Berkeley Packet Filter (BPF) as a replacement for iptables

Patrick · September 26, 2022, 7:34pm

This was merged.