Whonix Gateway CLI-15.0.1.5.4 + Debian 10.9 - Disabling Firewall, workstation drops connection

Greetings,
I’m performing some tests by using Whonix Gateway CLI + Debian 10.9 as workstation and some aspects of the whonix firewall in this OS custom scenario.

I guess the configuration, enable and disable of Whonix Firewall is directly related to the iptables rules.
When the Whonix Firewall is enabled (assuming no changes by the user) the iptables rules are the following:

image966×739 10.5 KB

image1029×450 9.74 KB

In this situation, both of the machines work well and they connect also to the Internet.
During my tests, I noted that, if I disable the Whonix Firewall on the Gateway, as described here https://www.whonix.org/wiki/Dev/Firewall_Unload, and executing ./firewall-unload script, the iptables rules will correctly be:

and if I perform a curl ifconfig.me in the Whonix Gateway, it connects correctly, but on Debian, if I try to execute sudo apt-get update or curl ifconfig.me, I receive connection errors, the workstation is not connected to the network anymore. Why disabling the Whonix Firewall isolates the Debian workstation? Is there another component involved in this scenario that blocks the connections when the Whonix Firewall is disabled?

PS: executing sudo service whonix-firewall status:

image1029×225 5.34 KB

Regards

When you run for example curl, apt, apt-get and other uwt wrapped applications by default, what happens under the hood, is actually running torsocks curl. Short introduction:

This can be disabled:

Longer explanation:

For Whonix-Workstation to be able to use system default DNS (non-uwt wrappeed applications and/or uwt disabled) (meaning not using a proxifier / socksifier), it requires Whonix-Gateway providing a Tor DnsPort. (See Tor manual for DnsPort.) Furthermore Tor requires traffic to be redirected to Tor’s DnsPort using iptables (or similar). Once Whonix-Gateway firewall is down, this iptables redirection will be non-existing.

The same, simplified, in more generic terms (unspecific to Whonix):
For machine to be able to use system default DNS, it requires a Tor DnsPort. (See Tor manual for DnsPort.) Furthermore Tor requires traffic to be redirected to Tor’s DnsPort using iptables (or similar).

The same is true for system default TCP traffic. (See Tor manual for TransPort.)

This might help too:

• https://www.whonix.org/wiki/Dev/Technical_Introduction#multiple_security_layers
• Whonix (by that time still called TorBOX) was originally based on this:
  • https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TransparentProxy#local-redirection-and-anonymizing-middlebox

Related:

You’re underway of a great journey of understanding Whonix networking. If you understand most of that, you’ll be in a much better position to judge the (un)likeliness of leaks when using Whonix-Workstation.

And also if you have ideas on how to document this and perhaps even could contribute the required wiki enhancements, that would be great.