Host Firewall Settings and Testing

Upstream[edit]

Redirection to Kicksecure Documentation

Incomplete: This wiki page is incomplete. This it by design. It only contains specific information for Whonix. Below is a link to a wiki page in the Kicksecure wiki with more general information. Reading it is mandatory for full information.

Introduction: Whonix Documentation Introduction, User Expectations, Footnotes and References, User Expectations - What Documentation Is and What It Is Not
Whonix is based on Kicksecure^™: Whonix inherits many features and principles from Kicksecure.
Kicksecure is based on Debian: Kicksecure builds upon the stability of Debian.
Inheritance: Therefore, Whonix is also based on Debian.
Debian is GNU/Linux-based: Debian primarily uses the GNU/Linux as its foundation.
Shared documentation benefits: Because one distribution is based on another:
Inherited documentation: Little specific documentation is required for each layer.
Shared principles: Features and principles often remain consistent across forks. Users can often follow the same instructions for both Whonix and Kicksecure.
Keep using Whonix: This does not mean the user should switch to Kicksecure.
Where to apply the instructions: The instructions should be applied inside Whonix.
Wiki editors notice: This box is wiki template upstream_wiki. (Pages that link to it.)
Comparison: Whonix versus Kicksecure
Documentation compatibility: Since Whonix is based on Kicksecure, the user should follow these instructions for:

Host Firewall

Note: Re-interpretation...

Apply the instructions inside Whonix, not Kicksecure.

Kicksecure: Perform these steps inside Kicksecure.

Instead the user should apply the instructions inside Whonix-Workstation.

Kicksecure for Qubes: Perform these steps inside Qubes kicksecure-17 Template.

Instead the user should apply the instructions inside whonix-workstation-17 Template.

Whonix specific[edit]

Filtering Ports[edit]

Introduction[edit]

From time to time a user asks which incoming/outgoing ports are required by Whonix-Gateway^™. The answer is:

Incoming: none.
Outgoing: all.

An alternative technique for controlling ports might be corridor (a Tor traffic whitelisting gateway), since it can act as a firewall. ^[1]

Incoming[edit]

Whonix-Gateway itself does not open any ports. Users are advised to close all ports on the host as outlined in the Host Firewall Essentials entry.

Outgoing[edit]

Warning: This procedure is not recommended. Port-based filtering of outgoing traffic is not applicable (as in useful) in the case of Whonix-Gateway.

Filtering outgoing ports is difficult, since Tor entry guards or bridges listen on a variety of different ports. Limiting ports Tor uses for outgoing traffic is still possible, but recommended against, since it reduces anonymity. The effect is fewer entry guards or bridges are made available to the user. If users wish to proceed despite the risk, follow the instructions below.

On Whonix-Gateway.

Open file /usr/local/etc/torrc.d/50_user.conf in a text editor of your choice, with administrative rights. Select your platform.

Non-Qubes

If you are using a graphical Whonix-Gateway, take the following step.

Start Menu → Applications → Settings → /usr/local/etc/torrc.d/50_user.conf

Qubes-Whonix

If you are using Qubes-Whonix^™, take the following step.

Qubes App Launcher (blue/grey "Q") → Whonix-Gateway^™ ProxyVM (commonly named sys-whonix) → Tor User Config (Torrc)

CLI

If you are using Whonix-Gateway with command line interface (CLI), take the following step. sudoedit /usr/local/etc/torrc.d/50_user.conf

Add.

ReachableDirAddresses *:80 ReachableORAddresses *:443 ## maybe: FirewallPorts PORTS ## See Tor manual: https://2019.www.torproject.org/docs/tor-manual.html.en

Save.

Reload Tor.

After changing Tor configuration, Tor must be reloaded for changes to take effect.

Note: If Tor does not connect after completing all these steps, then a user mistake is the most likely explanation. Recheck /usr/local/etc/torrc.d/50_user.conf and repeat the steps outlined in the sections above. If Tor then connects successfully, all the necessary changes have been made.

If you are using Qubes-Whonix^™, complete the following steps.

Qubes App Launcher (blue/grey "Q") → Whonix-Gateway^™ ProxyVM (commonly named 'sys-whonix') → Reload Tor

If you are using a graphical Whonix-Gateway, complete the following steps.

Start Menu → Applications → Settings → Reload Tor

If you are using a terminal-only Whonix-Gateway, click HERE for instructions.

Complete the following steps.

Reload Tor.

sudo service tor@default reload

Check Tor's daemon status.

sudo service tor@default status

It should include a a message saying.

Active: active (running) since ...

In case of issues, try the following debugging steps.

Check Tor's config.

sudo -u debian-tor tor --verify-config

The output should be similar to the following.

Sep 17 17:40:41.416 [notice] Read configuration file "/usr/local/etc/torrc.d/50_user.conf".
Configuration was valid

This issue was also discussed in the old Whonix forum.

Footnotes[edit]

↑ corridor for Whonix KVM ticket

Whonix

The most watertight privacy operating system in the world.

Dark mode

Supported by Power Up Privacy

Whonix is proudly supported until 2025 by Power Up Privacy, a privacy advocacy group that seeks to supercharge privacy projects with resources so they can complete their mission of making our world a better place. (Strictly subject to our sponsorship policy.)

At Whonix we value freedom and trust, supporting Open Source and Freedom Software

By using this website, you acknowledge you have read, understood, and agree to be bound by these agreements: Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint

2012- 2025 ENCRYPTED SUPPORT LLC

Your support makes
all the difference!

We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 13 year success story and maybe DONATE!

[corridor-whonix-kvm-1] rridor for Whonix KVM ticket

[1]

Host Firewall

Contents

Upstream[edit]

Whonix specific[edit]