Actions

Whonix-Workstation Firewall

From Whonix


Firewall-34227640.png

[1] [2]

How to open a Port in Whonix-Workstation ™ Firewall[edit]

Modify Whonix-Workstation ™ User Firewall Settings

Note: If no changes have yet been made to Whonix Firewall Settings, then the Whonix User Firewall Settings File /etc/whonix_firewall.d/50_user.conf appears empty (because it does not exist). This is expected.

If using Qubes-Whonix ™, complete these steps.
In Whonix-Workstation ™ AppVM. Make sure folder /usr/local/etc/whonix_firewall.d exists.

sudo mkdir -p /usr/local/etc/whonix_firewall.d

Qubes App Launcher (blue/grey "Q")Whonix-Workstation ™ AppVM (commonly called anon-whonix)Whonix User Firewall Settings

If using a graphical Whonix-Workstation ™, complete these steps.

Start MenuApplicationsSystemUser Firewall Settings

If using a terminal-only Whonix-Workstation ™, complete these steps.

Open /usr/local/etc/whonix_firewall.d/50_user.conf with root rights.

sudoedit /usr/local/etc/whonix_firewall.d/50_user.conf

For more help, press on Expand on the right.

Note: This is for informational purposes only! Do not edit /etc/whonix_firewall.d/30_whonix_workstation_default.conf.

The Whonix Global Firewall Settings File /etc/whonix_firewall.d/30_whonix_workstation_default.conf contains default settings and explanatory comments about their purpose. By default, the file is opened read-only and is not meant to be directly edited. Below, it is recommended to open the file without root rights. The file contains an explanatory comment on how to change firewall settings.

## Please use "/etc/whonix_firewall.d/50_user.conf" for your custom configuration,
## which will override the defaults found here. When Whonix is updated, this
## file may be overwritten.

See also Whonix modular flexible .d style configuration folders.

To view the file, follow these instructions.

If using Qubes-Whonix ™, complete these steps.

Qubes App Launcher (blue/grey "Q")Template: whonix-ws-15Whonix Global Firewall Settings

If using a graphical Whonix-Workstation ™, complete these steps.

Start MenuApplicationsSettingsGlobal Firewall Settings

If using a terminal-only Whonix-Workstation ™, complete these steps.

In Whonix-Workstation ™, open the whonix_firewall configuration file in an editor.

nano /etc/whonix_firewall.d/30_whonix_workstation_default.conf

Add. Replace 80 with the actual port you would like to open.

EXTERNAL_OPEN_PORTS+=" 80 "

Save.

Reload Whonix-Workstation ™ Firewall.

If you are using Qubes-Whonix ™, complete the following steps.

Qubes App Launcher (blue/grey "Q")Whonix-Workstation ™ AppVM (commonly named anon-whonix)Reload Whonix Firewall

If you are using a graphical Whonix-Workstation ™, complete the following steps.

Start MenuApplicationsSystemReload Whonix Firewall

If you are using a terminal-only Whonix-Workstation ™, run.

sudo whonix_firewall

How to open All Ports in Whonix-Workstation ™ Firewall[edit]

This is usually not required and should be avoided.

Modify Whonix-Workstation ™ User Firewall Settings

Note: If no changes have yet been made to Whonix Firewall Settings, then the Whonix User Firewall Settings File /etc/whonix_firewall.d/50_user.conf appears empty (because it does not exist). This is expected.

If using Qubes-Whonix ™, complete these steps.
In Whonix-Workstation ™ AppVM. Make sure folder /usr/local/etc/whonix_firewall.d exists.

sudo mkdir -p /usr/local/etc/whonix_firewall.d

Qubes App Launcher (blue/grey "Q")Whonix-Workstation ™ AppVM (commonly called anon-whonix)Whonix User Firewall Settings

If using a graphical Whonix-Workstation ™, complete these steps.

Start MenuApplicationsSystemUser Firewall Settings

If using a terminal-only Whonix-Workstation ™, complete these steps.

Open /usr/local/etc/whonix_firewall.d/50_user.conf with root rights.

sudoedit /usr/local/etc/whonix_firewall.d/50_user.conf

For more help, press on Expand on the right.

Note: This is for informational purposes only! Do not edit /etc/whonix_firewall.d/30_whonix_workstation_default.conf.

The Whonix Global Firewall Settings File /etc/whonix_firewall.d/30_whonix_workstation_default.conf contains default settings and explanatory comments about their purpose. By default, the file is opened read-only and is not meant to be directly edited. Below, it is recommended to open the file without root rights. The file contains an explanatory comment on how to change firewall settings.

## Please use "/etc/whonix_firewall.d/50_user.conf" for your custom configuration,
## which will override the defaults found here. When Whonix is updated, this
## file may be overwritten.

See also Whonix modular flexible .d style configuration folders.

To view the file, follow these instructions.

If using Qubes-Whonix ™, complete these steps.

Qubes App Launcher (blue/grey "Q")Template: whonix-ws-15Whonix Global Firewall Settings

If using a graphical Whonix-Workstation ™, complete these steps.

Start MenuApplicationsSettingsGlobal Firewall Settings

If using a terminal-only Whonix-Workstation ™, complete these steps.

In Whonix-Workstation ™, open the whonix_firewall configuration file in an editor.

nano /etc/whonix_firewall.d/30_whonix_workstation_default.conf

Add. Replace 80 with the actual port you would like to open.

EXTERNAL_OPEN_ALL=true

Save.

Reload Whonix-Workstation ™ Firewall.

If you are using Qubes-Whonix ™, complete the following steps.

Qubes App Launcher (blue/grey "Q")Whonix-Workstation ™ AppVM (commonly named anon-whonix)Reload Whonix Firewall

If you are using a graphical Whonix-Workstation ™, complete the following steps.

Start MenuApplicationsSystemReload Whonix Firewall

If you are using a terminal-only Whonix-Workstation ™, run.

sudo whonix_firewall

Disable Whonix-Workstation ™ Firewall Until Reboot[edit]

Inside Whonix-Workstation ™.

See Dev/Firewall_Unload.

Permanently Disable Whonix-Workstation ™ Firewall[edit]

Inside Whonix-Workstation ™.

sudo systemctl mask whonix-firewall

No firewall rules will load after rebooting.

ping[edit]

Ping commands should NOT work for external addresses from your Whonix-Workstation ™; ICMP traffic [3] is not proxied, and filtered by Whonix ™ Firewall (/usr/bin/whonix_firewall) because Tor does not support UDP. For example, ping google.com will not work. To make ping work, see chapter Allow UDP.

When SUID Disabler and Permission Hardener gets enabled (not enabled by default at time of writing but will be enabled in by default in future), the CAP_NET_RAW capability will be removed from ping to reduce attack surface since it wold not work anyway. [4] When that will happen, to re-enable ping this, chapter Whitelist Specific Capability Binaries.

Forum discussion:
https://forums.whonix.org/t/ping-operation-permitted/11056/ [archive]

Allow UDP[edit]

Ambox notice.png The Tor software does not yet support UDP, [5] although Tor provides a DnsPort.

If UDP is urgently required in Whonix ™, a limited workaround is provided. For the most secure method, see Tunnel UDP over Tor.

To allow allow UDP, follow the following steps.

Modify Whonix-Workstation ™ User Firewall Settings

Note: If no changes have yet been made to Whonix Firewall Settings, then the Whonix User Firewall Settings File /etc/whonix_firewall.d/50_user.conf appears empty (because it does not exist). This is expected.

If using Qubes-Whonix ™, complete these steps.
In Whonix-Workstation ™ AppVM. Make sure folder /usr/local/etc/whonix_firewall.d exists.

sudo mkdir -p /usr/local/etc/whonix_firewall.d

Qubes App Launcher (blue/grey "Q")Whonix-Workstation ™ AppVM (commonly called anon-whonix)Whonix User Firewall Settings

If using a graphical Whonix-Workstation ™, complete these steps.

Start MenuApplicationsSystemUser Firewall Settings

If using a terminal-only Whonix-Workstation ™, complete these steps.

Open /usr/local/etc/whonix_firewall.d/50_user.conf with root rights.

sudoedit /usr/local/etc/whonix_firewall.d/50_user.conf

For more help, press on Expand on the right.

Note: This is for informational purposes only! Do not edit /etc/whonix_firewall.d/30_whonix_workstation_default.conf.

The Whonix Global Firewall Settings File /etc/whonix_firewall.d/30_whonix_workstation_default.conf contains default settings and explanatory comments about their purpose. By default, the file is opened read-only and is not meant to be directly edited. Below, it is recommended to open the file without root rights. The file contains an explanatory comment on how to change firewall settings.

## Please use "/etc/whonix_firewall.d/50_user.conf" for your custom configuration,
## which will override the defaults found here. When Whonix is updated, this
## file may be overwritten.

See also Whonix modular flexible .d style configuration folders.

To view the file, follow these instructions.

If using Qubes-Whonix ™, complete these steps.

Qubes App Launcher (blue/grey "Q")Template: whonix-ws-15Whonix Global Firewall Settings

If using a graphical Whonix-Workstation ™, complete these steps.

Start MenuApplicationsSettingsGlobal Firewall Settings

If using a terminal-only Whonix-Workstation ™, complete these steps.

In Whonix-Workstation ™, open the whonix_firewall configuration file in an editor.

nano /etc/whonix_firewall.d/30_whonix_workstation_default.conf

Add. [6]

firewall_allow_udp=true

Save.

Reload Whonix-Workstation ™ Firewall.

If you are using Qubes-Whonix ™, complete the following steps.

Qubes App Launcher (blue/grey "Q")Whonix-Workstation ™ AppVM (commonly named anon-whonix)Reload Whonix Firewall

If you are using a graphical Whonix-Workstation ™, complete the following steps.

Start MenuApplicationsSystemReload Whonix Firewall

If you are using a terminal-only Whonix-Workstation ™, run.

sudo whonix_firewall

Done, Whonix-Workstation ™ firewall does now permit UDP.

Purpose[edit]

https://github.com/Whonix/whonix-firewall/blob/master/man/whonix_firewall.8.ronn#whonix-workstation-firewall-design-notes [archive]

See Also[edit]

Footnotes[edit]



text=Jobs in USA
Jobs in USA


Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki


Follow: 1024px-Telegram 2019 Logo.svg.png Iconfinder Apple Mail 2697658.png Twitter.png Facebook.png Rss.png Reddit.jpg 200px-Mastodon Logotype (Simple).svg.png

Support: 1024px-Telegram 2019 Logo.svg.png Discourse logo.png Matrix logo.svg.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate Whonix.png United Federation of Planets 1000px.png

Twitter-share-button.png Facebook-share-button.png Telegram-share.png

Want to get involved with Whonix ™? Check out our Contribute page.

https link onion link

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation. Policy of Whonix Website and Whonix Chat and Policy On Nonfreedom Software applies.

Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].

Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint, Contact.