On Whonix Workstation 9.4, if you enable the firewall, the internet does not work. Timesync does not progress, whonixcheck reports control port not reachable and Tor Browser does not launch.
There is currently an issue.
Without firewall.
~ $ time /usr/lib/anon-shared-helper-scripts/tor_bootstrap_check.py 127.0.0.1 9151 0
NOTICE BOOTSTRAP PROGRESS=100 TAG=done SUMMARY="Done"
real 0m0.104s
user 0m0.064s
sys 0m0.000sWith firewall.
[code]~ $ time /usr/lib/anon-shared-helper-scripts/tor_bootstrap_check.py 127.0.0.1 9151 0
NOTICE BOOTSTRAP PROGRESS=100 TAG=done SUMMARY=“Done”
real 0m26.151s
user 0m0.044s
sys 0m0.024s
[/code]
That will cause the issue you are describing.
Maybe someone can help finding the bug that causes this in the iptables rules?
https://github.com/Whonix/whonix-ws-firewall/blob/master/usr/bin/whonix_firewall
Figured out the iptables rule, that is causing this issue.
Feel free to comment it out.
What difference does it make? See the comments above that rules.
Will contact Damain Johnson (author of python-stem, that tor_bootstrap_check.py is using if it’s using any non-TCP connections).
Done.
stem TCP vs other protocols
Hi Damian,I am currently wondering about some issue. [1]
Does stem use pure TCP or also something else?
The following firewall rule is creating issues.
iptables -A OUTPUT ! -p tcp -j REJECT --reject-with icmp-port-unreachable
(While Tor is running on a different machine.)
Any idea about this?
Cheers,
Patrick[1] Whonix Forum
Wiki:
Got an answer.
I'd certainly expect so. Here's the bit where Stem creates the socket...stem/socket.py · HEAD · The Tor Project / Network Health / stem · GitLab
That rule will be disabled in Whonix 10. For more, see also:
https://github.com/Whonix/whonix-ws-firewall/commit/3e3a5047d4e5d6d18d78f62686f8c60da7abf55f
I consider this fixed.
You can make it work in Whonix 9 as well if you get the updated script. Compare with your existing one. Git commit is singed. No security risk if you check the signature or the diff. Please test (press raw button for copy and paste friendly version):
https://github.com/Whonix/whonix-ws-firewall/blob/3e3a5047d4e5d6d18d78f62686f8c60da7abf55f/usr/bin/whonix_firewall
please replace
with
iptables -A OUTPUT -p tcp -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 3 -j ACCEPT
that last line, allowing only that particular icmp type was enough for fixing the issue. Don’t ask me why, I found by testing them
Could we open a discussion or bug report for enabling this firewall by default? I guess it adds real security depending on various threat models. I guess 99% of users will not complain about it
Or perhaps asking on first boot like whonixsetup
[quote=“z, post:9, topic:761”]please replace
with
iptables -A OUTPUT -p tcp -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 3 -j ACCEPT
that last line, allowing only that particular icmp type was enough for fixing the issue. Don’t ask me why, I found by testing them[/quote]
Current fixed version works as is.
I am not sure the original “iptables -A OUTPUT ! -p tcp -j REJECT --reject-with icmp-port-unreachable” idea (see comments) above was a good idea to begin with. It was not a rule to improve security. To idea was to improve usability (make ping say instantly failed rather than timeout) while on the other hand it worsens usability by creating confusing in corner cases (not being able to tunnel UDP oder Tor).
[quote=“z, post:10, topic:761”]Could we open a discussion or bug report for enabling this firewall by default? I guess it adds real security depending on various threat models. I guess 99% of users will not complain about it
Or perhaps asking on first boot like whonixsetup[/quote]
You can open a discussion in development forum or so.
Reopened that ticket. Happening again. More info on ticket.
Solved.
(Also the “ping usability rule” (iptables -A OUTPUT ! -p tcp -j REJECT --reject-with icmp-port-unreachable) works again.)