[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [DONATE]

Workstation Firewall issue

On Whonix Workstation 9.4, if you enable the firewall, the internet does not work. Timesync does not progress, whonixcheck reports control port not reachable and Tor Browser does not launch.

There is currently an issue.

Without firewall.

~ $ time /usr/lib/anon-shared-helper-scripts/tor_bootstrap_check.py 127.0.0.1 9151 0
NOTICE BOOTSTRAP PROGRESS=100 TAG=done SUMMARY="Done"

real    0m0.104s
user    0m0.064s
sys     0m0.000s

With firewall.

[code]~ $ time /usr/lib/anon-shared-helper-scripts/tor_bootstrap_check.py 127.0.0.1 9151 0
NOTICE BOOTSTRAP PROGRESS=100 TAG=done SUMMARY=“Done”

real 0m26.151s
user 0m0.044s
sys 0m0.024s
[/code]

That will cause the issue you are describing.

Maybe someone can help finding the bug that causes this in the iptables rules?

https://github.com/Whonix/whonix-ws-firewall/blob/master/usr/bin/whonix_firewall

Figured out the iptables rule, that is causing this issue.

Feel free to comment it out.

What difference does it make? See the comments above that rules.

Will contact Damain Johnson (author of python-stem, that tor_bootstrap_check.py is using if it’s using any non-TCP connections).

Done.

stem TCP vs other protocols
Hi Damian,

I am currently wondering about some issue. [1]

Does stem use pure TCP or also something else?

The following firewall rule is creating issues.

iptables -A OUTPUT ! -p tcp -j REJECT --reject-with icmp-port-unreachable

(While Tor is running on a different machine.)

Any idea about this?

Cheers,
Patrick

[1] https://www.whonix.org/forum/index.php/topic,834.0.html

Ticket:
https://phabricator.whonix.org/T112

Wiki:

Got an answer.

I'd certainly expect so. Here's the bit where Stem creates the socket...

https://gitweb.torproject.org/stem.git/tree/stem/socket.py#n391

That rule will be disabled in Whonix 10. For more, see also:
https://github.com/Whonix/whonix-ws-firewall/commit/3e3a5047d4e5d6d18d78f62686f8c60da7abf55f

I consider this fixed.

You can make it work in Whonix 9 as well if you get the updated script. Compare with your existing one. Git commit is singed. No security risk if you check the signature or the diff. Please test (press raw button for copy and paste friendly version):
https://github.com/Whonix/whonix-ws-firewall/blob/3e3a5047d4e5d6d18d78f62686f8c60da7abf55f/usr/bin/whonix_firewall

please replace

with

iptables -A OUTPUT -p tcp -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type 3 -j ACCEPT

that last line, allowing only that particular icmp type was enough for fixing the issue. Don’t ask me why, I found by testing them

Could we open a discussion or bug report for enabling this firewall by default? I guess it adds real security depending on various threat models. I guess 99% of users will not complain about it

Or perhaps asking on first boot like whonixsetup

[quote=“z, post:9, topic:761”]please replace

with

iptables -A OUTPUT -p tcp -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type 3 -j ACCEPT

that last line, allowing only that particular icmp type was enough for fixing the issue. Don’t ask me why, I found by testing them[/quote]
Current fixed version works as is.

I am not sure the original “iptables -A OUTPUT ! -p tcp -j REJECT --reject-with icmp-port-unreachable” idea (see comments) above was a good idea to begin with. It was not a rule to improve security. To idea was to improve usability (make ping say instantly failed rather than timeout) while on the other hand it worsens usability by creating confusing in corner cases (not being able to tunnel UDP oder Tor).

[quote=“z, post:10, topic:761”]Could we open a discussion or bug report for enabling this firewall by default? I guess it adds real security depending on various threat models. I guess 99% of users will not complain about it

Or perhaps asking on first boot like whonixsetup[/quote]
You can open a discussion in development forum or so.

Reopened that ticket. Happening again. More info on ticket.

Solved.

(Also the “ping usability rule” (iptables -A OUTPUT ! -p tcp -j REJECT --reject-with icmp-port-unreachable) works again.)

[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Investors] [Priority Support] [Professional Support]