Whonix-Workstation Firewall
From Whonix
How-to: Open a Port in Whonix-Workstation ™ Firewall[edit]
Open an Incoming Port[edit]
Whonix-Gateway ™ → Whonix-Workstation ™ → server running inside Whonix-Workstation ™
This allows for an incoming connection from Whonix-Gateway ™. This is useful for various purposes such as making Onion Services reachable.
1. Modify Whonix-Workstation ™ User Firewall Settings
Note: If no changes have yet been made to Whonix Firewall Settings, then the Whonix User Firewall Settings File /etc/whonix_firewall.d/50_user.conf appears empty (because it does not exist). This is expected.
If using Qubes-Whonix ™, complete these steps.
In Whonix-Workstation ™ AppVM. Make sure folder /usr/local/etc/whonix_firewall.d exists.
sudo mkdir -p /usr/local/etc/whonix_firewall.d
Qubes App Launcher (blue/grey "Q") → Whonix-Workstation ™ AppVM (commonly called anon-whonix) → Whonix User Firewall Settings
If using a graphical Whonix-Workstation ™, complete these steps.
Start Menu → Applications → System → User Firewall Settings
If using a terminal-only Whonix-Workstation ™, complete these steps.
Open /usr/local/etc/whonix_firewall.d/50_user.conf with root rights.
sudoedit /usr/local/etc/whonix_firewall.d/50_user.conf
For more help, press on Expand on the right.
Note: This is for informational purposes only! Do not edit /etc/whonix_firewall.d/30_whonix_workstation_default.conf.
The Whonix Global Firewall Settings File /etc/whonix_firewall.d/30_whonix_workstation_default.conf contains default settings and explanatory comments about their purpose. By default, the file is opened read-only and is not meant to be directly edited. Below, it is recommended to open the file without root rights. The file contains an explanatory comment on how to change firewall settings.
## Please use "/etc/whonix_firewall.d/50_user.conf" for your custom configuration, ## which will override the defaults found here. When Whonix is updated, this ## file may be overwritten.
See also Whonix modular flexible .d style configuration folders.
To view the file, follow these instructions.
If using Qubes-Whonix ™, complete these steps.
Qubes App Launcher (blue/grey "Q") → Template: whonix-ws-15 → Whonix Global Firewall Settings
If using a graphical Whonix-Workstation ™, complete these steps.
Start Menu → Applications → Settings → Global Firewall Settings
If using a terminal-only Whonix-Workstation ™, complete these steps.
In Whonix-Workstation ™, open the whonix_firewall configuration file in an editor.
nano /etc/whonix_firewall.d/30_whonix_workstation_default.conf
2. Add.
Replace 80 with the actual port you would like to open.
EXTERNAL_OPEN_PORTS+=" 80 "
3. Save.
4. Reload Whonix-Workstation ™ Firewall.
If you are using Qubes-Whonix ™, complete the following steps.
Qubes App Launcher (blue/grey "Q") → Whonix-Workstation ™ AppVM (commonly named anon-whonix) → Reload Whonix Firewall
If you are using a graphical Whonix-Workstation ™, complete the following steps.
Start Menu → Applications → System → Reload Whonix Firewall
If you are using a terminal-only Whonix-Workstation ™, run.
sudo whonix_firewall
The procedure is complete.
Open an Outgoing Port[edit]
Warning:
- This is usually not required!
- This is Untested! Always follow Firewall Refactoring steps before and after making configuration changes to check if the firewall rules actually changed.
Whonix-Workstation ™ → Whonix-Gateway ™ → Tor SocksPort
This allows for an outgoing connection to Whonix-Gateway ™.
This might be useful for Tor additional SocksPorts.
1. Reminder on opening outgoing ports.
This is usually not required since Whonix-Workstation ™ firewall does not restrict what ports on Whonix-Gateway ™ are reachable if these are open in Whonix-Gateway ™ firewall.
It is only useful to prevent connections to Tor SocksPorts in timesync-fail-closed firewall mode. [3]
2. Modify Whonix-Workstation ™ User Firewall Settings
Note: If no changes have yet been made to Whonix Firewall Settings, then the Whonix User Firewall Settings File /etc/whonix_firewall.d/50_user.conf appears empty (because it does not exist). This is expected.
If using Qubes-Whonix ™, complete these steps.
In Whonix-Workstation ™ AppVM. Make sure folder /usr/local/etc/whonix_firewall.d exists.
sudo mkdir -p /usr/local/etc/whonix_firewall.d
Qubes App Launcher (blue/grey "Q") → Whonix-Workstation ™ AppVM (commonly called anon-whonix) → Whonix User Firewall Settings
If using a graphical Whonix-Workstation ™, complete these steps.
Start Menu → Applications → System → User Firewall Settings
If using a terminal-only Whonix-Workstation ™, complete these steps.
Open /usr/local/etc/whonix_firewall.d/50_user.conf with root rights.
sudoedit /usr/local/etc/whonix_firewall.d/50_user.conf
For more help, press on Expand on the right.
Note: This is for informational purposes only! Do not edit /etc/whonix_firewall.d/30_whonix_workstation_default.conf.
The Whonix Global Firewall Settings File /etc/whonix_firewall.d/30_whonix_workstation_default.conf contains default settings and explanatory comments about their purpose. By default, the file is opened read-only and is not meant to be directly edited. Below, it is recommended to open the file without root rights. The file contains an explanatory comment on how to change firewall settings.
## Please use "/etc/whonix_firewall.d/50_user.conf" for your custom configuration, ## which will override the defaults found here. When Whonix is updated, this ## file may be overwritten.
See also Whonix modular flexible .d style configuration folders.
To view the file, follow these instructions.
If using Qubes-Whonix ™, complete these steps.
Qubes App Launcher (blue/grey "Q") → Template: whonix-ws-15 → Whonix Global Firewall Settings
If using a graphical Whonix-Workstation ™, complete these steps.
Start Menu → Applications → Settings → Global Firewall Settings
If using a terminal-only Whonix-Workstation ™, complete these steps.
In Whonix-Workstation ™, open the whonix_firewall configuration file in an editor.
nano /etc/whonix_firewall.d/30_whonix_workstation_default.conf
3. Add.
Note: Replace 9230 with the actual port you would like to open.
INTERNAL_OPEN_PORTS+=" 9230 "
4. Save.
5. Reload Whonix-Workstation ™ Firewall.
If you are using Qubes-Whonix ™, complete the following steps.
Qubes App Launcher (blue/grey "Q") → Whonix-Workstation ™ AppVM (commonly named anon-whonix) → Reload Whonix Firewall
If you are using a graphical Whonix-Workstation ™, complete the following steps.
Start Menu → Applications → System → Reload Whonix Firewall
If you are using a terminal-only Whonix-Workstation ™, run.
sudo whonix_firewall
The procedure is complete.
How-to: Open All Ports in Whonix-Workstation ™ Firewall[edit]
This procedure is usually not required and should be avoided.
This allows for an incoming connection from Whonix-Gateway ™. This is useful for various purposes such as making Onion Services reachable.
1. Modify Whonix-Workstation ™ User Firewall Settings
Note: If no changes have yet been made to Whonix Firewall Settings, then the Whonix User Firewall Settings File /etc/whonix_firewall.d/50_user.conf appears empty (because it does not exist). This is expected.
If using Qubes-Whonix ™, complete these steps.
In Whonix-Workstation ™ AppVM. Make sure folder /usr/local/etc/whonix_firewall.d exists.
sudo mkdir -p /usr/local/etc/whonix_firewall.d
Qubes App Launcher (blue/grey "Q") → Whonix-Workstation ™ AppVM (commonly called anon-whonix) → Whonix User Firewall Settings
If using a graphical Whonix-Workstation ™, complete these steps.
Start Menu → Applications → System → User Firewall Settings
If using a terminal-only Whonix-Workstation ™, complete these steps.
Open /usr/local/etc/whonix_firewall.d/50_user.conf with root rights.
sudoedit /usr/local/etc/whonix_firewall.d/50_user.conf
For more help, press on Expand on the right.
Note: This is for informational purposes only! Do not edit /etc/whonix_firewall.d/30_whonix_workstation_default.conf.
The Whonix Global Firewall Settings File /etc/whonix_firewall.d/30_whonix_workstation_default.conf contains default settings and explanatory comments about their purpose. By default, the file is opened read-only and is not meant to be directly edited. Below, it is recommended to open the file without root rights. The file contains an explanatory comment on how to change firewall settings.
## Please use "/etc/whonix_firewall.d/50_user.conf" for your custom configuration, ## which will override the defaults found here. When Whonix is updated, this ## file may be overwritten.
See also Whonix modular flexible .d style configuration folders.
To view the file, follow these instructions.
If using Qubes-Whonix ™, complete these steps.
Qubes App Launcher (blue/grey "Q") → Template: whonix-ws-15 → Whonix Global Firewall Settings
If using a graphical Whonix-Workstation ™, complete these steps.
Start Menu → Applications → Settings → Global Firewall Settings
If using a terminal-only Whonix-Workstation ™, complete these steps.
In Whonix-Workstation ™, open the whonix_firewall configuration file in an editor.
nano /etc/whonix_firewall.d/30_whonix_workstation_default.conf
2. Add.
EXTERNAL_OPEN_ALL=true
Save.
3. Reload Whonix-Workstation ™ Firewall.
If you are using Qubes-Whonix ™, complete the following steps.
Qubes App Launcher (blue/grey "Q") → Whonix-Workstation ™ AppVM (commonly named anon-whonix) → Reload Whonix Firewall
If you are using a graphical Whonix-Workstation ™, complete the following steps.
Start Menu → Applications → System → Reload Whonix Firewall
If you are using a terminal-only Whonix-Workstation ™, run.
sudo whonix_firewall
The procedure is complete.
Disable Whonix-Workstation ™ Firewall Until Reboot[edit]
Perform this action inside Whonix-Workstation ™ -- see Firewall Unload.
Permanently Disable Whonix-Workstation ™ Firewall[edit]
Perform this action inside Whonix-Workstation ™.
sudo systemctl mask whonix-firewall
No firewall rules will load after rebooting.
Ping[edit]
Ping commands should not work for external addresses from the Whonix-Workstation ™. The reason is ICMP traffic [archive] is not proxied and it is filtered by Whonix ™ Firewall (/usr/bin/whonix_firewall) because Tor does not support UDP. For example, ping google.com will not work. To make ping functional, see the Allow UDP chapter.
When SUID Disabler and Permission Hardener is enabled in the future, [4] the CAP_NET_RAW capability will be removed from ping to reduce the attack surface since it would not work anyway. [5] When that occurs, to re-enable ping functionality refer to the Whitelist Specific Capability Binaries chapter.
Forum discussion:
Ping operation permitted? [archive]
Allow UDP[edit]
The Tor software does not yet support UDP, [6] although Tor provides a DnsPort.
If UDP is urgently required in Whonix ™, a limited workaround is provided. For the most secure method, see Tunnel UDP over Tor.
To allow UDP, complete the following steps.
1. Modify Whonix-Workstation ™ User Firewall Settings
Note: If no changes have yet been made to Whonix Firewall Settings, then the Whonix User Firewall Settings File /etc/whonix_firewall.d/50_user.conf appears empty (because it does not exist). This is expected.
If using Qubes-Whonix ™, complete these steps.
In Whonix-Workstation ™ AppVM. Make sure folder /usr/local/etc/whonix_firewall.d exists.
sudo mkdir -p /usr/local/etc/whonix_firewall.d
Qubes App Launcher (blue/grey "Q") → Whonix-Workstation ™ AppVM (commonly called anon-whonix) → Whonix User Firewall Settings
If using a graphical Whonix-Workstation ™, complete these steps.
Start Menu → Applications → System → User Firewall Settings
If using a terminal-only Whonix-Workstation ™, complete these steps.
Open /usr/local/etc/whonix_firewall.d/50_user.conf with root rights.
sudoedit /usr/local/etc/whonix_firewall.d/50_user.conf
For more help, press on Expand on the right.
Note: This is for informational purposes only! Do not edit /etc/whonix_firewall.d/30_whonix_workstation_default.conf.
The Whonix Global Firewall Settings File /etc/whonix_firewall.d/30_whonix_workstation_default.conf contains default settings and explanatory comments about their purpose. By default, the file is opened read-only and is not meant to be directly edited. Below, it is recommended to open the file without root rights. The file contains an explanatory comment on how to change firewall settings.
## Please use "/etc/whonix_firewall.d/50_user.conf" for your custom configuration, ## which will override the defaults found here. When Whonix is updated, this ## file may be overwritten.
See also Whonix modular flexible .d style configuration folders.
To view the file, follow these instructions.
If using Qubes-Whonix ™, complete these steps.
Qubes App Launcher (blue/grey "Q") → Template: whonix-ws-15 → Whonix Global Firewall Settings
If using a graphical Whonix-Workstation ™, complete these steps.
Start Menu → Applications → Settings → Global Firewall Settings
If using a terminal-only Whonix-Workstation ™, complete these steps.
In Whonix-Workstation ™, open the whonix_firewall configuration file in an editor.
nano /etc/whonix_firewall.d/30_whonix_workstation_default.conf
2. Add. [7]
firewall_allow_udp=true
Save.
3. Reload Whonix-Workstation ™ Firewall.
If you are using Qubes-Whonix ™, complete the following steps.
Qubes App Launcher (blue/grey "Q") → Whonix-Workstation ™ AppVM (commonly named anon-whonix) → Reload Whonix Firewall
If you are using a graphical Whonix-Workstation ™, complete the following steps.
Start Menu → Applications → System → Reload Whonix Firewall
If you are using a terminal-only Whonix-Workstation ™, run.
sudo whonix_firewall
The procedure is complete. Whonix-Workstation ™ firewall will now permit UDP.
Purpose[edit]
Refer to Whonix-Workstation ™ firewall design notes [archive] for further information.
See Also[edit]
- Whonix-Workstation ™ is Firewalled
- Open a Port(s) in Whonix ™ and Port Forwarding
- Whonix ™ Configuration Drop-In Folders
- https://github.com/Whonix/whonix-firewall/blob/master/etc/whonix_firewall.d/30_whonix_workstation_default.conf [archive]
- https://github.com/Whonix/whonix-firewall/blob/master/usr/bin/whonix-workstation-firewall [archive]
- https://github.com/Whonix/whonix-firewall [archive]
- Whonix-Gateway ™ Firewall
Footnotes[edit]
- ↑ https://github.com/Whonix/whonix-ws-firewall/blob/Whonix13/man/whonix_firewall.8.ronn [archive]
- ↑
man whonix_firewall
- ↑ https://phabricator.whonix.org/T533#11025 [archive]
- ↑ It was not enabled by default at the time of writing.
- ↑ https://github.com/Whonix/anon-apps-config/blob/master/etc/permission-hardening.d/30_ping.conf [archive]
- ↑ https://trac.torproject.org/projects/tor/ticket/7830 [archive]
- ↑
Whonix ™ is Supported by Evolution Host DDoS Protected VPS. Stay private and get your VPS with Bitcoin or Monero.
|
|
| Fosshost | About Advertisements |
Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki
.svg.png&filetimestamp=20200623163525&){kind=small}
Did you know that Whonix ™ could provide protection against backdoors? See Verifiable Builds. Help is wanted and welcomed.
Priority Support | Investors | Professional Support
Whonix ™ | © ENCRYPTED SUPPORT LP | 
Freedom Software / 
Open Source (Why?)
The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.