Host Firewall
Contents
Basics[edit]
 | The recommendation to install a host firewall is documented in the Computer Security Education section, along with basic settings. |
Dedicated Connection[edit]
If possible, it is safer to avoid sharing the network (LAN, Wi-Fi, hotspot) with other potentially compromised machines.
Filtering Ports[edit]
Introduction[edit]
From time to time a user asks which incoming/outgoing ports are required by Whonix-Gateway. The answer is:
- Incoming:
none. - Outgoing:
all.
An alternative technique for controlling ports might be corridor (a Tor traffic whitelisting gateway), since it can act as a firewall. [1]
Incoming[edit]
Whonix-Gateway itself does not open any ports. Users are advised to close all ports on the host as outlined in the Host Firewall Basics entry.
Outgoing[edit]
 | Warning: This procedure is not recommended. Port-based filtering of outgoing traffic is not applicable (as in useful) in the case of Whonix-Gateway. |
Filtering outgoing ports is difficult, since Tor entry guards or bridges listen on a variety of different ports. Limiting ports Tor uses for outgoing traffic is still possible, but recommended against, since it reduces anonymity. The effect is fewer entry guards or bridges are made available to the user. If users wish to proceed despite the risk, follow the instructions below.
On Whonix-Gateway.
| From Whonix 14 onwards, all user unique Tor configurations should be stored in /usr/local/etc/torrc.d/50_user.conf and not anywhere else. Note that Whonix will not modify /usr/local/etc/torrc.d/50_user.conf once it is created, therefore the user is responsible for adding or removing specific configurations in this file. |
Open /usr/local/etc/torrc.d/50_user.conf.
If you are using Qubes-Whonix, complete the following steps.
Qubes App Launcher (blue/grey "Q") -> Whonix-Gateway ProxyVM (commonly named sys-whonix) -> Tor User Config (Torrc)
If you are using a graphical Whonix-Gateway, complete the following steps.
Start Menu -> Applications -> Settings -> /usr/local/etc/torrc.d/50_user.conf
If you are using a terminal-only Whonix-Gateway, complete the following steps.
sudo nano /usr/local/etc/torrc.d/50_user.conf
Add.
ReachableDirAddresses *:80 ReachableORAddresses *:443 ## maybe: FirewallPorts PORTS ## See Tor manual: https://www.torproject.org/docs/tor-manual.html.en
Save.
Reload Tor.
After editing /usr/local/etc/torrc.d/50_user.conf, Tor must be reloaded for changes to take effect.
Note: If Tor does not connect after completing all these steps, then a user mistake is the most likely explanation. Recheck /usr/local/etc/torrc.d/50_user.conf and repeat the steps outlined in the sections above. If Tor then connects successfully, all the necessary changes have been made.
If you are using Qubes-Whonix, complete the following steps.
Qubes App Launcher (blue/grey "Q") -> Whonix-Gateway ProxyVM (commonly named 'sys-whonix') -> Reload Tor
If you are using a graphical Whonix-Gateway, complete the following steps.
Start Menu -> Applications -> Settings -> Reload Tor
If you are using a terminal-only Whonix-Gateway, press on Expand on the right.
Complete the following steps.
Reload Tor.
sudo service tor@default reload
Check Tor's daemon status.
sudo service tor@default status
It should include a a message saying.
Active: active (running) since ...
In case of issues, try the following debugging steps.
Check Tor's config.
sudo -u debian-tor tor --verify-config
The output should be similar to the following.
Sep 17 17:40:41.416 [notice] Read configuration file "/usr/local/etc/torrc.d/50_user.conf". Configuration was valid
This issue was also discussed in the old Whonix forum.
NAT Router[edit]
Being behind an ordinary NAT router may provide a marginal layer of extra security.
Users should also review the relevant recommendations in the Router and Local Area Network Security entry. This includes steps to lock down router settings and the recommendation to purchase a commercial-grade router. Experts can also flash the router with an open-source GNU/Linux distribution.
Port Scan[edit]
Using an Internet-based port scanner service to test the local LAN's router/firewall is a sensible idea. Users must carefully research and find a legitimate service, since many companies only want to sell a product and will purposefully present false positives. A better alternative is to scan the local LAN with a port scanning application from an external IP address. To scan the home IP address, users can either login remotely (SSH) via an external machine, or proxy through an external IP address. Detailed instructions on accomplishing that are beyond the scope of this document.
A special case is presented by users who share a LAN with other PCs (a stand-alone machine is not used). In this instance, the port scanning/testing service or a port scan application from an external IP address will actually only scan the local LAN's router/firewall and not the actual host's PC. If the latter is mis-configured, then the user could be susceptible to attacks from other machines within the LAN which sit behind the router, and a false sense of security could be the result.
For example, if the user shares the LAN with flatmates who are not so sophisticated in computer security, then those foreign machines should be regarded as potentially malicious. There is every possibility they may have been infected with a botnet already or other harmful programs. Therefore, the user cannot trust the output of a port scan application running on their machine. If there is no spare machine for testing, then foreign computers on the LAN can be booted from a live CD, and the user can scan their personal machine with a port scan application. Details on how to accomplish that task are also outside the scope of this document.
Footnotes[edit]
License[edit]
Whonix Host Firewall wiki page Copyright (C) Amnesia <amnesia at boum dot org>
Whonix Host Firewall wiki page Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
This program comes with ABSOLUTELY NO WARRANTY; for details see the wiki source code.
This is free software, and you are welcome to redistribute it under certain conditions; see the wiki source code for details.
Want to make Whonix safer and more usable? We're looking for helping hands. Check out the Open Issues and development forum.
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.
Whonix is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Libre Software license as Whonix itself. (Why?)