Whonix-Workstation Firewall
From Whonix
How to open a Port in Whonix-Workstation ™ Firewall[edit]
How to open an Incoming Port in Whonix-Workstation ™ Firewall[edit]
Whonix-Gateway ™ → Whonix-Workstation ™ → server running inside Whonix-Workstation ™
For purpose of allowing an incoming connection from Whonix-Gateway ™ such as for example to make Onion Services reachable.
1. Modify Whonix-Workstation ™ User Firewall Settings
Note: If no changes have yet been made to Whonix Firewall Settings, then the Whonix User Firewall Settings File /etc/whonix_firewall.d/50_user.conf appears empty (because it does not exist). This is expected.
If using Qubes-Whonix ™, complete these steps.
In Whonix-Workstation ™ AppVM. Make sure folder /usr/local/etc/whonix_firewall.d exists.
sudo mkdir -p /usr/local/etc/whonix_firewall.d
Qubes App Launcher (blue/grey "Q") → Whonix-Workstation ™ AppVM (commonly called anon-whonix) → Whonix User Firewall Settings
If using a graphical Whonix-Workstation ™, complete these steps.
Start Menu → Applications → System → User Firewall Settings
If using a terminal-only Whonix-Workstation ™, complete these steps.
Open /usr/local/etc/whonix_firewall.d/50_user.conf with root rights.
sudoedit /usr/local/etc/whonix_firewall.d/50_user.conf
For more help, press on Expand on the right.
Note: This is for informational purposes only! Do not edit /etc/whonix_firewall.d/30_whonix_workstation_default.conf.
The Whonix Global Firewall Settings File /etc/whonix_firewall.d/30_whonix_workstation_default.conf contains default settings and explanatory comments about their purpose. By default, the file is opened read-only and is not meant to be directly edited. Below, it is recommended to open the file without root rights. The file contains an explanatory comment on how to change firewall settings.
## Please use "/etc/whonix_firewall.d/50_user.conf" for your custom configuration, ## which will override the defaults found here. When Whonix is updated, this ## file may be overwritten.
See also Whonix modular flexible .d style configuration folders.
To view the file, follow these instructions.
If using Qubes-Whonix ™, complete these steps.
Qubes App Launcher (blue/grey "Q") → Template: whonix-ws-15 → Whonix Global Firewall Settings
If using a graphical Whonix-Workstation ™, complete these steps.
Start Menu → Applications → Settings → Global Firewall Settings
If using a terminal-only Whonix-Workstation ™, complete these steps.
In Whonix-Workstation ™, open the whonix_firewall configuration file in an editor.
nano /etc/whonix_firewall.d/30_whonix_workstation_default.conf
2. Add. Replace 80 with the actual port you would like to open.
EXTERNAL_OPEN_PORTS+=" 80 "
3. Save.
4. Reload Whonix-Workstation ™ Firewall.
If you are using Qubes-Whonix ™, complete the following steps.
Qubes App Launcher (blue/grey "Q") → Whonix-Workstation ™ AppVM (commonly named anon-whonix) → Reload Whonix Firewall
If you are using a graphical Whonix-Workstation ™, complete the following steps.
Start Menu → Applications → System → Reload Whonix Firewall
If you are using a terminal-only Whonix-Workstation ™, run.
sudo whonix_firewall
5. Done.
How to open an Outgoing Port in Whonix-Workstation ™ Firewall[edit]
Whonix-Workstation ™ → Whonix-Gateway ™ → Tor SocksPort
For purpose of allowing an outgoing connection to Whonix-Gateway ™.
Might be useful for Tor additional SocksPorts.
1. Usually not required!
Untested! (Use Dev/Firewall Refactoring to check before and after making configuration changes if the actual firewall rules actually changed.)
Usually not required since Whonix-Workstation ™ firewall does not restrict what ports on Whonix-Gateway ™ are reachable if these are open in Whonix-Gateway ™ firewall.
Only useful to prevent connections to Tor SocksPorts in timesync-fail-closed firewall mode. [3]
2. Modify Whonix-Workstation ™ User Firewall Settings
Note: If no changes have yet been made to Whonix Firewall Settings, then the Whonix User Firewall Settings File /etc/whonix_firewall.d/50_user.conf appears empty (because it does not exist). This is expected.
If using Qubes-Whonix ™, complete these steps.
In Whonix-Workstation ™ AppVM. Make sure folder /usr/local/etc/whonix_firewall.d exists.
sudo mkdir -p /usr/local/etc/whonix_firewall.d
Qubes App Launcher (blue/grey "Q") → Whonix-Workstation ™ AppVM (commonly called anon-whonix) → Whonix User Firewall Settings
If using a graphical Whonix-Workstation ™, complete these steps.
Start Menu → Applications → System → User Firewall Settings
If using a terminal-only Whonix-Workstation ™, complete these steps.
Open /usr/local/etc/whonix_firewall.d/50_user.conf with root rights.
sudoedit /usr/local/etc/whonix_firewall.d/50_user.conf
For more help, press on Expand on the right.
Note: This is for informational purposes only! Do not edit /etc/whonix_firewall.d/30_whonix_workstation_default.conf.
The Whonix Global Firewall Settings File /etc/whonix_firewall.d/30_whonix_workstation_default.conf contains default settings and explanatory comments about their purpose. By default, the file is opened read-only and is not meant to be directly edited. Below, it is recommended to open the file without root rights. The file contains an explanatory comment on how to change firewall settings.
## Please use "/etc/whonix_firewall.d/50_user.conf" for your custom configuration, ## which will override the defaults found here. When Whonix is updated, this ## file may be overwritten.
See also Whonix modular flexible .d style configuration folders.
To view the file, follow these instructions.
If using Qubes-Whonix ™, complete these steps.
Qubes App Launcher (blue/grey "Q") → Template: whonix-ws-15 → Whonix Global Firewall Settings
If using a graphical Whonix-Workstation ™, complete these steps.
Start Menu → Applications → Settings → Global Firewall Settings
If using a terminal-only Whonix-Workstation ™, complete these steps.
In Whonix-Workstation ™, open the whonix_firewall configuration file in an editor.
nano /etc/whonix_firewall.d/30_whonix_workstation_default.conf
3. Add.
Note: Replace 9230 with the actual port you would like to open. Replace SOCKS_PORT_CUSTOM with SOCKS_PORT_ANOTHER when using multiple. Replace word ANOTHER with another unique word.
Up to Whonix ™ version 15.0.1.7.2.
SOCKS_PORT_CUSTOM=" 9230 "
The syntax will change in later Whonix ™ versions. [4]
INTERNAL_OPEN_PORTS+=" 9230 "
Adding both settings to the firewall settings file is OK.
4. Save.
5. Reload Whonix-Workstation ™ Firewall.
If you are using Qubes-Whonix ™, complete the following steps.
Qubes App Launcher (blue/grey "Q") → Whonix-Workstation ™ AppVM (commonly named anon-whonix) → Reload Whonix Firewall
If you are using a graphical Whonix-Workstation ™, complete the following steps.
Start Menu → Applications → System → Reload Whonix Firewall
If you are using a terminal-only Whonix-Workstation ™, run.
sudo whonix_firewall
6. Done.
How to open All Ports in Whonix-Workstation ™ Firewall[edit]
For purpose of allowing an incoming connection from Whonix-Gateway ™ such as for example to make Onion Services reachable.
This is usually not required and should be avoided.
Modify Whonix-Workstation ™ User Firewall Settings
Note: If no changes have yet been made to Whonix Firewall Settings, then the Whonix User Firewall Settings File /etc/whonix_firewall.d/50_user.conf appears empty (because it does not exist). This is expected.
If using Qubes-Whonix ™, complete these steps.
In Whonix-Workstation ™ AppVM. Make sure folder /usr/local/etc/whonix_firewall.d exists.
sudo mkdir -p /usr/local/etc/whonix_firewall.d
Qubes App Launcher (blue/grey "Q") → Whonix-Workstation ™ AppVM (commonly called anon-whonix) → Whonix User Firewall Settings
If using a graphical Whonix-Workstation ™, complete these steps.
Start Menu → Applications → System → User Firewall Settings
If using a terminal-only Whonix-Workstation ™, complete these steps.
Open /usr/local/etc/whonix_firewall.d/50_user.conf with root rights.
sudoedit /usr/local/etc/whonix_firewall.d/50_user.conf
For more help, press on Expand on the right.
Note: This is for informational purposes only! Do not edit /etc/whonix_firewall.d/30_whonix_workstation_default.conf.
The Whonix Global Firewall Settings File /etc/whonix_firewall.d/30_whonix_workstation_default.conf contains default settings and explanatory comments about their purpose. By default, the file is opened read-only and is not meant to be directly edited. Below, it is recommended to open the file without root rights. The file contains an explanatory comment on how to change firewall settings.
## Please use "/etc/whonix_firewall.d/50_user.conf" for your custom configuration, ## which will override the defaults found here. When Whonix is updated, this ## file may be overwritten.
See also Whonix modular flexible .d style configuration folders.
To view the file, follow these instructions.
If using Qubes-Whonix ™, complete these steps.
Qubes App Launcher (blue/grey "Q") → Template: whonix-ws-15 → Whonix Global Firewall Settings
If using a graphical Whonix-Workstation ™, complete these steps.
Start Menu → Applications → Settings → Global Firewall Settings
If using a terminal-only Whonix-Workstation ™, complete these steps.
In Whonix-Workstation ™, open the whonix_firewall configuration file in an editor.
nano /etc/whonix_firewall.d/30_whonix_workstation_default.conf
Add.
EXTERNAL_OPEN_ALL=true
Save.
Reload Whonix-Workstation ™ Firewall.
If you are using Qubes-Whonix ™, complete the following steps.
Qubes App Launcher (blue/grey "Q") → Whonix-Workstation ™ AppVM (commonly named anon-whonix) → Reload Whonix Firewall
If you are using a graphical Whonix-Workstation ™, complete the following steps.
Start Menu → Applications → System → Reload Whonix Firewall
If you are using a terminal-only Whonix-Workstation ™, run.
sudo whonix_firewall
Disable Whonix-Workstation ™ Firewall Until Reboot[edit]
Inside Whonix-Workstation ™.
See Dev/Firewall_Unload.
Permanently Disable Whonix-Workstation ™ Firewall[edit]
Inside Whonix-Workstation ™.
sudo systemctl mask whonix-firewall
No firewall rules will load after rebooting.
ping[edit]
Ping commands should NOT work for external addresses from your Whonix-Workstation ™; ICMP traffic [5] is not proxied, and filtered by Whonix ™ Firewall (/usr/bin/whonix_firewall) because Tor does not support UDP. For example, ping google.com will not work. To make ping work, see chapter Allow UDP.
When SUID Disabler and Permission Hardener gets enabled (not enabled by default at time of writing but will be enabled in by default in future), the CAP_NET_RAW capability will be removed from ping to reduce attack surface since it wold not work anyway. [6] When that will happen, to re-enable ping this, chapter Whitelist Specific Capability Binaries.
Forum discussion:
https://forums.whonix.org/t/ping-operation-permitted/11056/ [archive]
Allow UDP[edit]
The Tor software does not yet support UDP, [7] although Tor provides a DnsPort.
If UDP is urgently required in Whonix ™, a limited workaround is provided. For the most secure method, see Tunnel UDP over Tor.
To allow allow UDP, follow the following steps.
Modify Whonix-Workstation ™ User Firewall Settings
Note: If no changes have yet been made to Whonix Firewall Settings, then the Whonix User Firewall Settings File /etc/whonix_firewall.d/50_user.conf appears empty (because it does not exist). This is expected.
If using Qubes-Whonix ™, complete these steps.
In Whonix-Workstation ™ AppVM. Make sure folder /usr/local/etc/whonix_firewall.d exists.
sudo mkdir -p /usr/local/etc/whonix_firewall.d
Qubes App Launcher (blue/grey "Q") → Whonix-Workstation ™ AppVM (commonly called anon-whonix) → Whonix User Firewall Settings
If using a graphical Whonix-Workstation ™, complete these steps.
Start Menu → Applications → System → User Firewall Settings
If using a terminal-only Whonix-Workstation ™, complete these steps.
Open /usr/local/etc/whonix_firewall.d/50_user.conf with root rights.
sudoedit /usr/local/etc/whonix_firewall.d/50_user.conf
For more help, press on Expand on the right.
Note: This is for informational purposes only! Do not edit /etc/whonix_firewall.d/30_whonix_workstation_default.conf.
The Whonix Global Firewall Settings File /etc/whonix_firewall.d/30_whonix_workstation_default.conf contains default settings and explanatory comments about their purpose. By default, the file is opened read-only and is not meant to be directly edited. Below, it is recommended to open the file without root rights. The file contains an explanatory comment on how to change firewall settings.
## Please use "/etc/whonix_firewall.d/50_user.conf" for your custom configuration, ## which will override the defaults found here. When Whonix is updated, this ## file may be overwritten.
See also Whonix modular flexible .d style configuration folders.
To view the file, follow these instructions.
If using Qubes-Whonix ™, complete these steps.
Qubes App Launcher (blue/grey "Q") → Template: whonix-ws-15 → Whonix Global Firewall Settings
If using a graphical Whonix-Workstation ™, complete these steps.
Start Menu → Applications → Settings → Global Firewall Settings
If using a terminal-only Whonix-Workstation ™, complete these steps.
In Whonix-Workstation ™, open the whonix_firewall configuration file in an editor.
nano /etc/whonix_firewall.d/30_whonix_workstation_default.conf
Add. [8]
firewall_allow_udp=true
Save.
Reload Whonix-Workstation ™ Firewall.
If you are using Qubes-Whonix ™, complete the following steps.
Qubes App Launcher (blue/grey "Q") → Whonix-Workstation ™ AppVM (commonly named anon-whonix) → Reload Whonix Firewall
If you are using a graphical Whonix-Workstation ™, complete the following steps.
Start Menu → Applications → System → Reload Whonix Firewall
If you are using a terminal-only Whonix-Workstation ™, run.
sudo whonix_firewall
Done, Whonix-Workstation ™ firewall does now permit UDP.
Purpose[edit]
https://github.com/Whonix/whonix-firewall/blob/master/man/whonix_firewall.8.ronn#whonix-workstation-firewall-design-notes [archive]
See Also[edit]
- Whonix-Workstation ™ is Firewalled
- Open a Port(s) in Whonix ™ and Port Forwarding
- Whonix ™ Configuration Drop-In Folders
- https://github.com/Whonix/whonix-firewall/blob/master/etc/whonix_firewall.d/30_whonix_workstation_default.conf [archive]
- https://github.com/Whonix/whonix-firewall/blob/master/usr/bin/whonix-workstation-firewall [archive]
- https://github.com/Whonix/whonix-firewall [archive]
- Whonix-Gateway ™ Firewall
Footnotes[edit]
- ↑ https://github.com/Whonix/whonix-ws-firewall/blob/Whonix13/man/whonix_firewall.8.ronn [archive]
- ↑
man whonix_firewall
- ↑ https://phabricator.whonix.org/T533#11025 [archive]
- ↑ https://forums.whonix.org/t/internal-open-ports-setting/11404/1 [archive]
- ↑ http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol [archive]
- ↑ https://github.com/Whonix/anon-apps-config/blob/master/etc/permission-hardening.d/30_ping.conf [archive]
- ↑ https://trac.torproject.org/projects/tor/ticket/7830 [archive]
- ↑
Whonix ™ is Supported by Evolution Host DDoS Protected VPS. Stay private and get your VPS with Bitcoin or Monero.
Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki
.svg.png&filetimestamp=20200623163525&){kind=small}
Have you read our Documentation, Design and Developer Portal links yet?
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation. Policy of Whonix Website and Whonix Chat and Policy On Nonfreedom Software applies.
Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)
The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.
Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].
Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.
By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint, Contact.