Don’t edit /usr/bin/whonix_firewall directly as changes are lost on
upgrades. For the variables you changed, there is no need to edit the
file directly. Edit the configuration instead. Folder is
/etc/whonix_firewall.d
. See also:
I don’t know where you got /usr/bin/whonix_firewall editing directly
from. Just stick to the documentation.
The new link by the way is this one:
the fail closed mechanism doesn’t run, but it’s doesn’t matter because
I have a good vpn
That doesn’t follow. Fault of the VPN going down and continuing to
connect in the clear is not only up to the VPN. Also the internet
connection could go down due to natural causes. In another category of
attacks would be to intentionally disrupt the VPN connection as part of
an active ISP level attack.
and of course it’s an addition layer of security, not foudamental in
the major part of things
If you don’t do it right, then there is no reason to bother at all.
I have another question, if I would use the VPN-FIrewall on the host
and I need to surf on the clear net unless Tor, how can I do it ? The
normal Browser ( Iceweaseal ) doesn’t connect, only Virtualbox can .
When VPN-Firewall and the VPN is running, all host traffic should go
user → VPN → destination.
I don’t know iptables very well, so I can’t modify your
configuratation to prevent damages, how can I do ? Maybe I can test .
Using VPN-Firewall and going user → VPN → destination and then at the
same time making exceptions for user → destination is certainly
possible if you know iptables, but unsupported. (
Frequently Asked Questions - Whonix FAQ )
In conclusion, to update my host I always need to launch VPN and Tor
in the host, so Tor connection wil pass through the VPN . But sometimes
I need to surf unless Tor in the host …
How can I do ?
You don’t need to start Whonix / Tor for user → VPN → destination.
(Technical analogy: From VPN-Firewall / VPN perspective, “they don’t
‘know’ anything about Whonix”.)