Actions

Dev/Firewall Refactoring

From Whonix

< Dev




How to refactor the firewall script while being sure there are no iptables changes[edit]

1) Store current iptables rules to file a. 

sudo iptables-save-deterministic > a

2) Refactor the Whonix ™ firewall code.

3) Reload Whonix-Gateway ™ Firewall.

If you are using Qubes-Whonix ™, complete the following steps.

Qubes App Launcher (blue/grey "Q")Whonix-Gateway ™ ProxyVM (commonly named sys-whonix)Reload Whonix ™ Firewall

If you are using a graphical Whonix-Gateway ™, complete the following steps.

Start MenuApplicationsSystemReload Whonix ™ Firewall

If you are using a terminal-only Whonix-Gateway ™, run. 

sudo whonix_firewall

4) Store current iptables rules to file b. 

sudo iptables-save-deterministic > b

5) Compare files a and b.

Use console diff viewer or... 

diff a b

Use a graphical diff viewer. 

meld a b

6) There should be no diff.

whonixcheck iptables test[edit]

Does not exist yet.

  • "whonixcheck (which is somewhat a replacement for the lack of test suite) could indeed be useful to check if the loaded iptables rules match a hardcoded iptables dump. Yes, with additional firewalll add-ons that would be hard. Then these firewall add-ons could ship a dump that also gets verified. (iptables-dumps.d folder checked by whonixcheck or so.) But then multiple firewall add-ons gets hard. Mutliple firewall add-ons and dumping, that kind of flexibility might be stretching what the Whonix ™ project may be able to implement." (From (Forum) Bolt on for whonix_firewall - best place to put files? [archive] )
    • whonixcheck could use this iptables diff facility to warn the user of non-standard / unexpected rules present. And, just like unwanted packages, could ask the user to run e.g. iptables-save-whonix to establish a new baseline. whonixcheck would then pass, unless something else had changed things user unexpectedly, at which point whonixcheck would again warn.

Reference: (Forum) Bolt on for whonix_firewall - best place to put files? [archive]

Split Whonix ™ Firewall Script for better readability[edit]

From Patrick:
" I have been wondering for some time now if the firewall script should be split. A lot sections are being used by multiple packages, whonix-gw-firewall, whonix-ws-firewall and vpn-firewall. Eventually further in future (corridor-gateway to be created one day)...

  • error_handler
  • source config folder
  • IPv4 DEFAULTS
  • IPv4 PREPARATIONS
  • IPv4 DROP INVALID INCOMING PACKAGES
  • IPv4 FORWARD
  • IPv6
  • more minor stuff (iptables_cmd, ip6tables_cmd)


Converted to shell functions. And added to helper-scripts.

The risk of changing firewall rules while refactoring is minimal because it can be verified:

However, the goal is to make the firewall scripts easier to read. Not more difficult to audit. I am not sure which style (all in one file vs split) makes it simpler at this point. "

  • Early files in /etc/whonix_firewall.d could contain bash scripting of the form:
function ScriptFuncPreloadElement1() { script lines, e.g. $iptables_cmd ''blah''}
    • Optionally followed, for inline / immediate execution rather than hooking in later within whonix_firewall, with:
ScriptFuncPreloadElement1
# (Within the same file == calling main().)
    • This separates code definition from code execution.
  • "The other question with firewall code injection, pre/post hooks is when to dispatch them? When you want to dispatch them depends on what you actually want to implement."
  • e.g.
if [ "$(type -t whonix_firewall_input_hook_end)" = "function" ]; then
   whonix_firewall_input_hook_end
fi
    • However, such would only allow a single call per hook. (User would have to chain all calls within whonix_firewall.d) Perhaps array variables instead. Code would then be something like ScriptFuncPreloadElement1() as above, then
whonix_firewall_input_hook_end[${#whonix_firewall_input_hook_end[@]}]=ScriptFuncPreloadElement1
      • It would be up to the user to appropriately manage the array ordering.
    • Hooks within whonix_firewall would then walk the appropriate array at the appropriate time.

Reference: (Forum) whonix, torrents, and being a good tor citizen [archive]
Solution, part b demonstrates an example sample set of iptables rules that could be injected, within whonix_firewall. (Proof of concept, only.)

Reference: (Forum) Favourite (whonix?) bash script boilerplate template? [archive]

  • (begins) a corralling of a standard scripting framework.

See Also[edit]

Fosshost is sponsors Kicksecure ™ stage server 100px
Fosshost About Advertisements

Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki

Follow: 1024px-Telegram 2019 Logo.svg.png Iconfinder Apple Mail 2697658.png Twitter.png Facebook.png Rss.png Reddit.jpg 200px-Mastodon Logotype (Simple).svg.png

Support: Discourse logo.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contribute

Whonix donate bitcoin.png Monero donate Whonix.png United Federation of Planets 1000px.png

Twitter-share-button.png Facebook-share-button.png Telegram-share.png link=mailto:?subject=Dev/Firewall Refactoring&body=../Dev/Firewall_Refactoring link=https://reddit.com/submit?url=../Dev/Firewall_Refactoring&title=Dev/Firewall Refactoring link=https://news.ycombinator.com/submitlink?u=../Dev/Firewall_Refactoring&t=Dev/Firewall Refactoring link=https://mastodon.technology/share?message=Dev/Firewall Refactoring%20../Dev/Firewall_Refactoring&t=Dev/Firewall Refactoring

Did you know that anyone can edit the Whonix ™ wiki to improve it?

https link onion link Priority Support | Investors | Professional Support

Whonix | © ENCRYPTED SUPPORT LP | Heckert gnu.big.png Freedom Software / Osi standard logo 0.png Open Source (Why?)

The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.

Retrieved from "https://www.whonix.org/w/index.php?title=Dev/Firewall_Refactoring&oldid=60160"
By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent.
More information