{{Header}} {{#seo: |description=How-To: Open a Port in {{project_name_workstation_long}} Firewall, Restrict Outgoing IPs, Additional User Custom Firewall Rules and other settings for advanced users. |image=Firewall-34227640.png }} [[image:Firewall-34227640.png|250px|thumb]]
* [[Whonix-Gateway Firewall]] * [[Whonix-Workstation Firewall]]
{{intro| How-To: Open a Port in {{project_name_workstation_short}} Firewall, Restrict Outgoing IPs, Additional User Custom Firewall Rules and other settings for advanced users. }} https://gitlab.com/{{project_name_short}}/whonix-firewall/blob/master/man/whonix_firewall.8.ronn {{CodeSelect|code= man whonix_firewall }} = How-to: Open a Port in {{project_name_workstation_short}} Firewall = == Open an Incoming Port == '''{{project_name_gateway_short}}{{project_name_workstation_short}}server running inside {{project_name_workstation_short}} This allows for an incoming connection from {{project_name_gateway_short}}. This is useful for various purposes such as: * A) making [[Onion Services]] reachable; and * B) [[Whonix-Workstation to Whonix-Workstation Connections]]. {{Box|text= '''1.''' {{Firewall_Settings_Workstation}} '''2.''' Add. Replace 80 with the actual port you would like to open. {{CodeSelect|code= EXTERNAL_OPEN_PORTS+=" 80 " }} '''3.''' Save. '''4.''' {{Reload_Firewall_ws}} The procedure is complete. }} == Open an Outgoing Port == This allows for an outgoing connection to {{project_name_gateway_short}}. '''{{project_name_workstation_short}}{{project_name_gateway_short}} → Tor SocksPort This might be useful for [[Tor#Additional_SocksPorts|Tor additional SocksPorts]]. {{Firewall_Custom}} {{Box|text= '''1.''' Reminder on opening outgoing ports. This is usually not required since {{project_name_workstation_short}} firewall does not restrict what ports on {{project_name_gateway_short}} are reachable if these are open in {{project_name_gateway_short}} firewall. It is only useful to prevent connections to Tor SocksPorts in timesync-fail-closed firewall mode. https://phabricator.whonix.org/T533#11025 '''2.''' {{Firewall_Settings_Workstation}} '''3.''' Add. Note: Replace 9230 with the actual port you would like to open. {{CodeSelect|code= INTERNAL_OPEN_PORTS+=" 9230 " }} '''4.''' Save. '''5.''' {{Reload_Firewall_ws}} The procedure is complete. }} = How-to: Open All Ports in {{project_name_workstation_short}} Firewall = '''{{project_name_gateway_short}}{{project_name_workstation_short}}server running inside {{project_name_workstation_short}} This allows for an incoming connection from {{project_name_gateway_short}}. This is useful for various purposes such as making [[Onion Services]] reachable. {{mbox | type = notice | image = [[File:Ambox_notice.png|40px|alt=Info]] | text = This procedure is usually not required and should be avoided. }} {{Box|text= '''1.''' {{Firewall_Settings_Workstation}} '''2.''' Add. {{CodeSelect|code= EXTERNAL_OPEN_ALL=true }} Save. '''3.''' {{Reload_Firewall_ws}} The procedure is complete. }} = How-to: Restrict Outgoing IPs in {{project_name_workstation_short}} Firewall = This allows to restrict which outgoing IPs can be reached from inside {{project_name_workstation_short}}. This might be useful for single use-case VMs (specifically App Qubes). '''Testers only!''' {{Box|text= '''1.''' {{Firewall_Settings_Workstation}} '''2.''' Add. Note: Replace the example IP address 95.216.25.250 with an actual IP address. Multiple similar lines are supported. {{CodeSelect|code= outgoing_allow_ip_list+=" 95.216.25.250 " }} Save. '''3.''' '''Reboot''' or {{Reload_Firewall_ws}} '''4.''' The procedure is complete. }} To test: {{CodeSelect|code= curl.anondist-orig 95.216.25.250 }} = Disable {{project_name_workstation_short}} Firewall Until Reboot = To disable until reboot. Perform this action inside {{project_name_workstation_short}} -- see [[Dev/Firewall_Unload|Firewall Unload]]. = Permanently Disable {{project_name_workstation_short}} Firewall = Perform this action inside {{project_name_workstation_short}}. (In Qubes-Whonix: In Template.) {{CodeSelect|code= sudo systemctl mask whonix-firewall }} No firewall rules will load after rebooting. = Additional User Custom Firewall Rules = Testers only! [[Unsupported]]! This might be possible by using a systemd drop-in file. '''1.''' Firewall refactoring. (Optional.) It would be good to master the skill of [https://www.kicksecure.com/wiki/Dev/Firewall_Refactoring Firewall Refactoring] first. '''2.''' {{Open with root rights|filename= /usr/bin/user-firewall-script }} '''3.''' Paste. NOTE: Replace ## custom user firewall rules here with the actual user custom firewall rules. {{CodeSelect|code= #!/bin/bash ## custom user firewall rules here }} '''4.''' Save and exit. '''5.''' Make executable. {{CodeSelect|code= sudo chmod +x /usr/bin/user-firewall-script }} '''6.''' Manually test the user firewall script. {{CodeSelect|code= sudo user-firewall-script }} Once the user firewall script is functional, the user can proceed to automate loading of the user firewall script. '''7.''' Create folder /lib/systemd/system/whonix-firewall.service.d. {{CodeSelect|code= sudo mkdir -p /lib/systemd/system/whonix-firewall.service.d }} '''8.''' {{Open with root rights|filename= /lib/systemd/system/whonix-firewall.service.d/50_user.conf }} '''9.''' Paste. {{CodeSelect|code= [Service] ExecStartPost=/usr/libexec/user-firewall-script }} '''10.''' Save and exit. '''11.''' Reload systemd. {{CodeSelect|code= sudo systemctl daemon-reload }} '''12.''' {{Reload_Firewall_ws}} '''13.''' Done. Firewall rules should now be automatically load after reboot. It would be prudent to verify that using firewall refactoring method. = Ping = Ping commands should not work for external addresses from the {{project_name_workstation_short}}. The reason is [https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol ICMP traffic] is not proxied and it is filtered by {{project_name_short}} Firewall ({{W_Firewall}}) because [[Tor#UDP|Tor does not support UDP]]. For example, ping google.com will not work. To make ping functional, see the [[#Allow UDP|Allow UDP]] chapter. [[SUID Disabler and Permission Hardener]] disables the SUID from ping to reduce the attack surface since it would not work anyway. https://github.com/Whonix/anon-apps-config/blob/master/etc/permission-hardener.d/30_ping.conf In the future, capability removal of CAP_NET_RAW might be useful if Debian starts doing that. When that occurs, to re-enable ping functionality refer to the [[SUID_Disabler_and_Permission_Hardener#Whitelist_Specific_Capability_Binaries|Whitelist Specific Capability Binaries]] chapter. This of course does not resolve the issue that Tor does not support UDP. Forum discussion:
[https://forums.whonix.org/t/ping-operation-permitted/11056/ Ping operation permitted?] = Allow UDP = {{Tor_UDP}} To allow UDP, complete the following steps. {{Box|text= '''1.''' {{Firewall_Settings_Workstation}} '''2.''' Add. * https://forums.whonix.org/t/does-whonix-have-torrents-available/10046/8 * https://forums.whonix.org/t/whonix-15-0-1-5-1-for-virtualbox-point-release/10294 {{CodeSelect|code= firewall_allow_udp=true }} Save. '''3.''' {{Reload_Firewall_ws}} '''4.''' Done. The procedure is complete. {{project_name_workstation_short}} firewall will now permit UDP. '''5.''' Notice. Allowing UDP in the firewall by itself is insufficient to make UDP work. See the infobox on top of this wiki chapter. }} = Allow DNS = Similar to above. By following instructions to Allow UDP, there will be no restrictions for DNS. = Purpose = Refer to [https://gitlab.com/Whonix/whonix-firewall/blob/master/man/whonix_firewall.8.ronn#whonix-workstation-firewall-design-notes {{project_name_workstation_short}} firewall design notes] for further information. = See Also = * [[Install_Software#{{project_name_workstation_short}}_is_Firewalled|{{project_name_workstation_short}} is Firewalled]] * [[Ports|Open a Port(s) in {{project_name_short}} and Port Forwarding]] * [[Configuration_Files#Configuration_Drop-In_Folders|{{project_name_short}} Configuration Drop-In Folders]] * https://github.com/Whonix/whonix-firewall/blob/master/etc/whonix_firewall.d/30_whonix_workstation_default.conf * https://github.com/Whonix/whonix-firewall/blob/master/usr/bin/whonix-workstation-firewall * https://github.com/Whonix/whonix-firewall * [[{{project_name_gateway_short}}_Firewall|{{project_name_gateway_long}} Firewall]] * [[Redirect_Whonix-Workstation_Ports_or_Unix_Domain_Socket_Files_to_Whonix-Gateway|Redirect Whonix-Workstation Ports or Unix Domain Socket Files to Whonix-Gateway]] = Footnotes = {{reflist|close=1}} {{Footer}} [[Category:Documentation]]