Whonix-Workstation Firewall
Donate
How-To: Open a Port in Whonix-Workstation Firewall, Restrict Outgoing IPs, Additional User Custom Firewall Rules and other settings for advanced users.
How-to: Open a Port in Whonix-Workstation Firewall[edit]
Open an Incoming Port[edit]
Whonix-Gateway → Whonix-Workstation → server running inside Whonix-Workstation
This allows for an incoming connection from Whonix-Gateway. This is useful for various purposes such as:
- A) making Onion Services reachable; and
- B) Whonix-Workstation to Whonix-Workstation Connections.
1. Modify Whonix-Workstation User Firewall Settings
Note: If no changes have yet been made to Whonix Firewall Settings, then the Whonix User Firewall Settings File /etc/whonix_firewall.d/50_user.conf appears empty (because it does not exist). This is expected.
If using Qubes-Whonix, complete these steps.
In Whonix-Workstation App Qube. Make sure folder /usr/local/etc/whonix_firewall.d exists.
sudo mkdir -p /usr/local/etc/whonix_firewall.d
Qubes App Launcher (blue/grey "Q") → Whonix-Workstation App Qube (commonly called anon-whonix) → Whonix User Firewall Settings
If using a graphical Whonix-Workstation, complete these steps.
Start Menu → Applications → System → User Firewall Settings
If using a terminal-only Whonix-Workstation, complete these steps.
Open file /usr/local/etc/whonix_firewall.d/50_user.conf with root rights.
sudoedit /usr/local/etc/whonix_firewall.d/50_user.conf
For more help, press on Expand on the right.
Note: This is for informational purposes only! Do not edit /etc/whonix_firewall.d/30_whonix_workstation_default.conf.
The Whonix Global Firewall Settings File /etc/whonix_firewall.d/30_whonix_workstation_default.conf contains default settings and explanatory comments about their purpose. By default, the file is opened read-only and is not meant to be directly edited. Below, it is recommended to open the file without root rights. The file contains an explanatory comment on how to change firewall settings.
## Please use "/etc/whonix_firewall.d/50_user.conf" for your custom configuration,
## which will override the defaults found here. When {{project_name_long}} is updated, this
## file may be overwritten.
Also see: Whonix modular flexible .d style configuration folders.
To view the file, follow these instructions.
If using Qubes-Whonix, complete these steps.
Qubes App Launcher (blue/grey "Q") → Template: whonix-workstation-17 → Whonix Global Firewall Settings
If using a graphical Whonix-Workstation, complete these steps.
Start Menu → Applications → Settings → Global Firewall Settings
If using a terminal-only Whonix-Workstation, complete these steps.
In Whonix-Workstation, open the whonix_firewall configuration file in an editor. nano /etc/whonix_firewall.d/30_whonix_workstation_default.conf
2. Add.
Replace 80 with the actual port you would like to open.
EXTERNAL_OPEN_PORTS+=" 80 "
3. Save.
4. Reload Whonix-Workstation Firewall.
If you are using Qubes-Whonix, complete the following steps.
Qubes App Launcher (blue/grey "Q") → Whonix-Workstation App Qube (commonly named anon-whonix) → Reload Whonix Firewall
If you are using a graphical Whonix-Workstation, complete the following steps.
Start Menu → Applications → System → Reload Whonix Firewall
If you are using a terminal-only Whonix-Workstation, run. sudo whonix_firewall
The procedure is complete.
Open an Outgoing Port[edit]
This allows for an outgoing connection to Whonix-Gateway.
Whonix-Workstation → Whonix-Gateway → Tor SocksPort
This might be useful for Tor additional SocksPorts.
Warning:
- This is usually not required!
- This is Unsupported! Always follow Firewall Refactoring steps before and after making configuration changes to check if the firewall rules actually changed.
1. Reminder on opening outgoing ports.
This is usually not required since Whonix-Workstation firewall does not restrict what ports on Whonix-Gateway are reachable if these are open in Whonix-Gateway firewall.
It is only useful to prevent connections to Tor SocksPorts in timesync-fail-closed firewall mode. [3]
2. Modify Whonix-Workstation User Firewall Settings
Note: If no changes have yet been made to Whonix Firewall Settings, then the Whonix User Firewall Settings File /etc/whonix_firewall.d/50_user.conf appears empty (because it does not exist). This is expected.
If using Qubes-Whonix, complete these steps.
In Whonix-Workstation App Qube. Make sure folder /usr/local/etc/whonix_firewall.d exists.
sudo mkdir -p /usr/local/etc/whonix_firewall.d
Qubes App Launcher (blue/grey "Q") → Whonix-Workstation App Qube (commonly called anon-whonix) → Whonix User Firewall Settings
If using a graphical Whonix-Workstation, complete these steps.
Start Menu → Applications → System → User Firewall Settings
If using a terminal-only Whonix-Workstation, complete these steps.
Open file /usr/local/etc/whonix_firewall.d/50_user.conf with root rights.
sudoedit /usr/local/etc/whonix_firewall.d/50_user.conf
For more help, press on Expand on the right.
Note: This is for informational purposes only! Do not edit /etc/whonix_firewall.d/30_whonix_workstation_default.conf.
The Whonix Global Firewall Settings File /etc/whonix_firewall.d/30_whonix_workstation_default.conf contains default settings and explanatory comments about their purpose. By default, the file is opened read-only and is not meant to be directly edited. Below, it is recommended to open the file without root rights. The file contains an explanatory comment on how to change firewall settings.
## Please use "/etc/whonix_firewall.d/50_user.conf" for your custom configuration,
## which will override the defaults found here. When {{project_name_long}} is updated, this
## file may be overwritten.
Also see: Whonix modular flexible .d style configuration folders.
To view the file, follow these instructions.
If using Qubes-Whonix, complete these steps.
Qubes App Launcher (blue/grey "Q") → Template: whonix-workstation-17 → Whonix Global Firewall Settings
If using a graphical Whonix-Workstation, complete these steps.
Start Menu → Applications → Settings → Global Firewall Settings
If using a terminal-only Whonix-Workstation, complete these steps.
In Whonix-Workstation, open the whonix_firewall configuration file in an editor. nano /etc/whonix_firewall.d/30_whonix_workstation_default.conf
3. Add.
Note: Replace 9230 with the actual port you would like to open.
INTERNAL_OPEN_PORTS+=" 9230 "
4. Save.
5. Reload Whonix-Workstation Firewall.
If you are using Qubes-Whonix, complete the following steps.
Qubes App Launcher (blue/grey "Q") → Whonix-Workstation App Qube (commonly named anon-whonix) → Reload Whonix Firewall
If you are using a graphical Whonix-Workstation, complete the following steps.
Start Menu → Applications → System → Reload Whonix Firewall
If you are using a terminal-only Whonix-Workstation, run. sudo whonix_firewall
The procedure is complete.
How-to: Open All Ports in Whonix-Workstation Firewall[edit]
Whonix-Gateway → Whonix-Workstation → server running inside Whonix-Workstation
This allows for an incoming connection from Whonix-Gateway. This is useful for various purposes such as making Onion Services reachable.
This procedure is usually not required and should be avoided.
1. Modify Whonix-Workstation User Firewall Settings
Note: If no changes have yet been made to Whonix Firewall Settings, then the Whonix User Firewall Settings File /etc/whonix_firewall.d/50_user.conf appears empty (because it does not exist). This is expected.
If using Qubes-Whonix, complete these steps.
In Whonix-Workstation App Qube. Make sure folder /usr/local/etc/whonix_firewall.d exists.
sudo mkdir -p /usr/local/etc/whonix_firewall.d
Qubes App Launcher (blue/grey "Q") → Whonix-Workstation App Qube (commonly called anon-whonix) → Whonix User Firewall Settings
If using a graphical Whonix-Workstation, complete these steps.
Start Menu → Applications → System → User Firewall Settings
If using a terminal-only Whonix-Workstation, complete these steps.
Open file /usr/local/etc/whonix_firewall.d/50_user.conf with root rights.
sudoedit /usr/local/etc/whonix_firewall.d/50_user.conf
For more help, press on Expand on the right.
Note: This is for informational purposes only! Do not edit /etc/whonix_firewall.d/30_whonix_workstation_default.conf.
The Whonix Global Firewall Settings File /etc/whonix_firewall.d/30_whonix_workstation_default.conf contains default settings and explanatory comments about their purpose. By default, the file is opened read-only and is not meant to be directly edited. Below, it is recommended to open the file without root rights. The file contains an explanatory comment on how to change firewall settings.
## Please use "/etc/whonix_firewall.d/50_user.conf" for your custom configuration,
## which will override the defaults found here. When {{project_name_long}} is updated, this
## file may be overwritten.
Also see: Whonix modular flexible .d style configuration folders.
To view the file, follow these instructions.
If using Qubes-Whonix, complete these steps.
Qubes App Launcher (blue/grey "Q") → Template: whonix-workstation-17 → Whonix Global Firewall Settings
If using a graphical Whonix-Workstation, complete these steps.
Start Menu → Applications → Settings → Global Firewall Settings
If using a terminal-only Whonix-Workstation, complete these steps.
In Whonix-Workstation, open the whonix_firewall configuration file in an editor. nano /etc/whonix_firewall.d/30_whonix_workstation_default.conf
2. Add.
EXTERNAL_OPEN_ALL=true
Save.
3. Reload Whonix-Workstation Firewall.
If you are using Qubes-Whonix, complete the following steps.
Qubes App Launcher (blue/grey "Q") → Whonix-Workstation App Qube (commonly named anon-whonix) → Reload Whonix Firewall
If you are using a graphical Whonix-Workstation, complete the following steps.
Start Menu → Applications → System → Reload Whonix Firewall
If you are using a terminal-only Whonix-Workstation, run. sudo whonix_firewall
The procedure is complete.
How-to: Restrict Outgoing IPs in Whonix-Workstation Firewall[edit]
This allows to restrict which outgoing IPs can be reached from inside Whonix-Workstation. This might be useful for single use-case VMs (specifically App Qubes).
Testers only!
1. Modify Whonix-Workstation User Firewall Settings
Note: If no changes have yet been made to Whonix Firewall Settings, then the Whonix User Firewall Settings File /etc/whonix_firewall.d/50_user.conf appears empty (because it does not exist). This is expected.
If using Qubes-Whonix, complete these steps.
In Whonix-Workstation App Qube. Make sure folder /usr/local/etc/whonix_firewall.d exists.
sudo mkdir -p /usr/local/etc/whonix_firewall.d
Qubes App Launcher (blue/grey "Q") → Whonix-Workstation App Qube (commonly called anon-whonix) → Whonix User Firewall Settings
If using a graphical Whonix-Workstation, complete these steps.
Start Menu → Applications → System → User Firewall Settings
If using a terminal-only Whonix-Workstation, complete these steps.
Open file /usr/local/etc/whonix_firewall.d/50_user.conf with root rights.
sudoedit /usr/local/etc/whonix_firewall.d/50_user.conf
For more help, press on Expand on the right.
Note: This is for informational purposes only! Do not edit /etc/whonix_firewall.d/30_whonix_workstation_default.conf.
The Whonix Global Firewall Settings File /etc/whonix_firewall.d/30_whonix_workstation_default.conf contains default settings and explanatory comments about their purpose. By default, the file is opened read-only and is not meant to be directly edited. Below, it is recommended to open the file without root rights. The file contains an explanatory comment on how to change firewall settings.
## Please use "/etc/whonix_firewall.d/50_user.conf" for your custom configuration,
## which will override the defaults found here. When {{project_name_long}} is updated, this
## file may be overwritten.
Also see: Whonix modular flexible .d style configuration folders.
To view the file, follow these instructions.
If using Qubes-Whonix, complete these steps.
Qubes App Launcher (blue/grey "Q") → Template: whonix-workstation-17 → Whonix Global Firewall Settings
If using a graphical Whonix-Workstation, complete these steps.
Start Menu → Applications → Settings → Global Firewall Settings
If using a terminal-only Whonix-Workstation, complete these steps.
In Whonix-Workstation, open the whonix_firewall configuration file in an editor. nano /etc/whonix_firewall.d/30_whonix_workstation_default.conf
2. Add.
Note: Replace the example IP address 95.216.25.250 with an actual IP address. Multiple similar lines are supported.
outgoing_allow_ip_list+=" 95.216.25.250 "
Save.
3. Reboot or Reload Whonix-Workstation Firewall.
If you are using Qubes-Whonix, complete the following steps.
Qubes App Launcher (blue/grey "Q") → Whonix-Workstation App Qube (commonly named anon-whonix) → Reload Whonix Firewall
If you are using a graphical Whonix-Workstation, complete the following steps.
Start Menu → Applications → System → Reload Whonix Firewall
If you are using a terminal-only Whonix-Workstation, run. sudo whonix_firewall
4. The procedure is complete.
To test:
curl.anondist-orig 95.216.25.250
Disable Whonix-Workstation Firewall Until Reboot[edit]
To disable until reboot.
Perform this action inside Whonix-Workstation -- see Firewall Unload.
Permanently Disable Whonix-Workstation Firewall[edit]
Perform this action inside Whonix-Workstation.
(In Qubes-Whonix: In Template.)
sudo systemctl mask whonix-firewall
No firewall rules will load after rebooting.
Additional User Custom Firewall Rules[edit]
Testers only! Unsupported!
This might be possible by using a systemd drop-in file.
1. Firewall refactoring. (Optional.)
It would be good to master the skill of Firewall Refactoring
first.
2. Open file /usr/bin/user-firewall-script in an editor with root rights.
Non-Qubes-Whonix
This box uses sudoedit for better security.
Others and Alternatives
- This is just an example. Other tools could achieve the same goal.
- If this example does not work for you or if you are not using Whonix, please refer to this link.
sudoedit /usr/bin/user-firewall-script
3. Paste.
NOTE: Replace ## custom user firewall rules here with the actual user custom firewall rules.
#!/bin/bash ## custom user firewall rules here
4. Save and exit.
5. Make executable.
sudo chmod +x /usr/bin/user-firewall-script
6. Manually test the user firewall script.
sudo user-firewall-script
Once the user firewall script is functional, the user can proceed to automate loading of the user firewall script.
7. Create folder /lib/systemd/system/whonix-firewall.service.d.
sudo mkdir -p /lib/systemd/system/whonix-firewall.service.d
8. Open file /lib/systemd/system/whonix-firewall.service.d/50_user.conf in an editor with root rights.
Non-Qubes-Whonix
This box uses sudoedit for better security.
Others and Alternatives
- This is just an example. Other tools could achieve the same goal.
- If this example does not work for you or if you are not using Whonix, please refer to this link.
sudoedit /lib/systemd/system/whonix-firewall.service.d/50_user.conf
9. Paste.
[Service] ExecStartPost=/usr/libexec/user-firewall-script
10. Save and exit.
11. Reload systemd.
sudo systemctl daemon-reload
12. Reload Whonix-Workstation Firewall.
If you are using Qubes-Whonix, complete the following steps.
Qubes App Launcher (blue/grey "Q") → Whonix-Workstation App Qube (commonly named anon-whonix) → Reload Whonix Firewall
If you are using a graphical Whonix-Workstation, complete the following steps.
Start Menu → Applications → System → Reload Whonix Firewall
If you are using a terminal-only Whonix-Workstation, run. sudo whonix_firewall
13. Done.
Firewall rules should now be automatically load after reboot. It would be prudent to verify that using firewall refactoring method.
Ping[edit]
Ping commands should not work for external addresses from the Whonix-Workstation. The reason is ICMP traffic is not proxied and it is filtered by Whonix Firewall (/usr/bin/whonix_firewall) because Tor does not support UDP. For example, ping google.com will not work. To make ping functional, see the Allow UDP chapter.
When SUID Disabler and Permission Hardener is enabled in the future, [4] the CAP_NET_RAW capability will be removed from ping to reduce the attack surface since it would not work anyway. [5] When that occurs, to re-enable ping functionality refer to the Whitelist Specific Capability Binaries chapter.
Forum discussion:
Ping operation permitted?
Allow UDP[edit]
The Tor software does not support UDP. The feature request UDP over Tor was created in 2013 and closed as won't fix by upstream, The Tor Project in 2018. It is therefore highly unlikely that the UDP over Tor feature will ever be implemented. This is unspecific to Whonix.
Tor provides a DnsPort but that is unrelated.
If UDP is urgently required in Whonix, a limited workaround is provided. For the most secure method, see Tunnel UDP over Tor.
To allow UDP, complete the following steps.
1. Modify Whonix-Workstation User Firewall Settings
Note: If no changes have yet been made to Whonix Firewall Settings, then the Whonix User Firewall Settings File /etc/whonix_firewall.d/50_user.conf appears empty (because it does not exist). This is expected.
If using Qubes-Whonix, complete these steps.
In Whonix-Workstation App Qube. Make sure folder /usr/local/etc/whonix_firewall.d exists.
sudo mkdir -p /usr/local/etc/whonix_firewall.d
Qubes App Launcher (blue/grey "Q") → Whonix-Workstation App Qube (commonly called anon-whonix) → Whonix User Firewall Settings
If using a graphical Whonix-Workstation, complete these steps.
Start Menu → Applications → System → User Firewall Settings
If using a terminal-only Whonix-Workstation, complete these steps.
Open file /usr/local/etc/whonix_firewall.d/50_user.conf with root rights.
sudoedit /usr/local/etc/whonix_firewall.d/50_user.conf
For more help, press on Expand on the right.
Note: This is for informational purposes only! Do not edit /etc/whonix_firewall.d/30_whonix_workstation_default.conf.
The Whonix Global Firewall Settings File /etc/whonix_firewall.d/30_whonix_workstation_default.conf contains default settings and explanatory comments about their purpose. By default, the file is opened read-only and is not meant to be directly edited. Below, it is recommended to open the file without root rights. The file contains an explanatory comment on how to change firewall settings.
## Please use "/etc/whonix_firewall.d/50_user.conf" for your custom configuration,
## which will override the defaults found here. When {{project_name_long}} is updated, this
## file may be overwritten.
Also see: Whonix modular flexible .d style configuration folders.
To view the file, follow these instructions.
If using Qubes-Whonix, complete these steps.
Qubes App Launcher (blue/grey "Q") → Template: whonix-workstation-17 → Whonix Global Firewall Settings
If using a graphical Whonix-Workstation, complete these steps.
Start Menu → Applications → Settings → Global Firewall Settings
If using a terminal-only Whonix-Workstation, complete these steps.
In Whonix-Workstation, open the whonix_firewall configuration file in an editor. nano /etc/whonix_firewall.d/30_whonix_workstation_default.conf
2. Add. [6]
firewall_allow_udp=true
Save.
3. Reload Whonix-Workstation Firewall.
If you are using Qubes-Whonix, complete the following steps.
Qubes App Launcher (blue/grey "Q") → Whonix-Workstation App Qube (commonly named anon-whonix) → Reload Whonix Firewall
If you are using a graphical Whonix-Workstation, complete the following steps.
Start Menu → Applications → System → Reload Whonix Firewall
If you are using a terminal-only Whonix-Workstation, run. sudo whonix_firewall
4. Done.
The procedure is complete. Whonix-Workstation firewall will now permit UDP.
5. Notice.
Allowing UDP in the firewall by itself is insufficient to make UDP work. See the infobox on top of this wiki chapter.
Allow DNS[edit]
Similar to above.
By following instructions to Allow UDP, there will be no restrictions for DNS.
Purpose[edit]
Refer to Whonix-Workstation firewall design notes for further information.
See Also[edit]
- Whonix-Workstation is Firewalled
- Open a Port(s) in Whonix and Port Forwarding
- Whonix Configuration Drop-In Folders
- https://github.com/Whonix/whonix-firewall/blob/master/etc/whonix_firewall.d/30_whonix_workstation_default.conf
- https://github.com/Whonix/whonix-firewall/blob/master/usr/bin/whonix-workstation-firewall
- https://github.com/Whonix/whonix-firewall
- Whonix-Gateway Firewall
- Redirect Whonix-Workstation Ports or Unix Domain Socket Files to Whonix-Gateway
Footnotes[edit]
- ↑
https://gitlab.com/Whonix/whonix-firewall/blob/master/man/whonix_firewall.8.ronn
- ↑ man whonix_firewall
- ↑
https://phabricator.whonix.org/T533#11025
- ↑ It was not enabled by default at the time of writing.
- ↑
https://gitlab.com/Whonix/anon-apps-config/blob/master/etc/permission-hardening.d/30_ping.conf
- ↑
At Whonix we value freedom and trust, supporting Open Source and Freedom Software
ENCRYPTED SUPPORT LP,
2023
We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 10 year success story and maybe DONATE!