Whonix-Workstation Firewall
From Whonix
How-to: Open a Port in Whonix-Workstation ™ Firewall[edit]
Open an Incoming Port[edit]
Whonix-Gateway ™ → Whonix-Workstation ™ → server running inside Whonix-Workstation ™
This allows for an incoming connection from Whonix-Gateway ™. This is useful for various purposes such as making Onion Services reachable.
1. Modify Whonix-Workstation ™ User Firewall Settings
Note: If no changes have yet been made to Whonix ™ Firewall Settings, then the Whonix ™ User Firewall Settings File /etc/whonix_firewall.d/50_user.conf appears empty (because it does not exist). This is expected.
If using Qubes-Whonix ™, complete these steps.
In Whonix-Workstation ™ App Qube. Make sure folder /usr/local/etc/whonix_firewall.d exists.
sudo mkdir -p /usr/local/etc/whonix_firewall.d
Qubes App Launcher (blue/grey "Q") → Whonix-Workstation ™ App Qube (commonly called anon-whonix) → Whonix ™ User Firewall Settings
If using a graphical Whonix-Workstation ™, complete these steps.
Start Menu → Applications → System → User Firewall Settings
If using a terminal-only Whonix-Workstation ™, complete these steps.
Open /usr/local/etc/whonix_firewall.d/50_user.conf with root rights.
sudoedit /usr/local/etc/whonix_firewall.d/50_user.conf
For more help, press on Expand on the right.
Note: This is for informational purposes only! Do not edit /etc/whonix_firewall.d/30_whonix_workstation_default.conf.
The Whonix ™ Global Firewall Settings File /etc/whonix_firewall.d/30_whonix_workstation_default.conf contains default settings and explanatory comments about their purpose. By default, the file is opened read-only and is not meant to be directly edited. Below, it is recommended to open the file without root rights. The file contains an explanatory comment on how to change firewall settings.
## Please use "/etc/whonix_firewall.d/50_user.conf" for your custom configuration,
## which will override the defaults found here. When {{project_name}} is updated, this
## file may be overwritten.
Also see: Whonix modular flexible .d style configuration folders.
To view the file, follow these instructions.
If using Qubes-Whonix ™, complete these steps.
Qubes App Launcher (blue/grey "Q") → Template: whonix-ws-16 → Whonix Global Firewall Settings
If using a graphical Whonix-Workstation ™, complete these steps.
Start Menu → Applications → Settings → Global Firewall Settings
If using a terminal-only Whonix-Workstation ™, complete these steps.
In Whonix-Workstation ™, open the whonix_firewall configuration file in an editor.
nano /etc/whonix_firewall.d/30_whonix_workstation_default.conf
2. Add.
Replace 80 with the actual port you would like to open.
EXTERNAL_OPEN_PORTS+=" 80 "
3. Save.
4. Reload Whonix-Workstation ™ Firewall.
If you are using Qubes-Whonix ™, complete the following steps.
Qubes App Launcher (blue/grey "Q") → Whonix-Workstation ™ App Qube (commonly named anon-whonix) → Reload Whonix ™ Firewall
If you are using a graphical Whonix-Workstation ™, complete the following steps.
Start Menu → Applications → System → Reload Whonix ™ Firewall
If you are using a terminal-only Whonix-Workstation ™, run.
sudo whonix_firewall
The procedure is complete.
Open an Outgoing Port[edit]
Warning:
- This is usually not required!
- This is Untested! Always follow Firewall Refactoring steps before and after making configuration changes to check if the firewall rules actually changed.
Whonix-Workstation ™ → Whonix-Gateway ™ → Tor SocksPort
This allows for an outgoing connection to Whonix-Gateway ™.
This might be useful for Tor additional SocksPorts.
1. Reminder on opening outgoing ports.
This is usually not required since Whonix-Workstation ™ firewall does not restrict what ports on Whonix-Gateway ™ are reachable if these are open in Whonix-Gateway ™ firewall.
It is only useful to prevent connections to Tor SocksPorts in timesync-fail-closed firewall mode. [3]
2. Modify Whonix-Workstation ™ User Firewall Settings
Note: If no changes have yet been made to Whonix ™ Firewall Settings, then the Whonix ™ User Firewall Settings File /etc/whonix_firewall.d/50_user.conf appears empty (because it does not exist). This is expected.
If using Qubes-Whonix ™, complete these steps.
In Whonix-Workstation ™ App Qube. Make sure folder /usr/local/etc/whonix_firewall.d exists.
sudo mkdir -p /usr/local/etc/whonix_firewall.d
Qubes App Launcher (blue/grey "Q") → Whonix-Workstation ™ App Qube (commonly called anon-whonix) → Whonix ™ User Firewall Settings
If using a graphical Whonix-Workstation ™, complete these steps.
Start Menu → Applications → System → User Firewall Settings
If using a terminal-only Whonix-Workstation ™, complete these steps.
Open /usr/local/etc/whonix_firewall.d/50_user.conf with root rights.
sudoedit /usr/local/etc/whonix_firewall.d/50_user.conf
For more help, press on Expand on the right.
Note: This is for informational purposes only! Do not edit /etc/whonix_firewall.d/30_whonix_workstation_default.conf.
The Whonix ™ Global Firewall Settings File /etc/whonix_firewall.d/30_whonix_workstation_default.conf contains default settings and explanatory comments about their purpose. By default, the file is opened read-only and is not meant to be directly edited. Below, it is recommended to open the file without root rights. The file contains an explanatory comment on how to change firewall settings.
## Please use "/etc/whonix_firewall.d/50_user.conf" for your custom configuration,
## which will override the defaults found here. When {{project_name}} is updated, this
## file may be overwritten.
Also see: Whonix modular flexible .d style configuration folders.
To view the file, follow these instructions.
If using Qubes-Whonix ™, complete these steps.
Qubes App Launcher (blue/grey "Q") → Template: whonix-ws-16 → Whonix Global Firewall Settings
If using a graphical Whonix-Workstation ™, complete these steps.
Start Menu → Applications → Settings → Global Firewall Settings
If using a terminal-only Whonix-Workstation ™, complete these steps.
In Whonix-Workstation ™, open the whonix_firewall configuration file in an editor.
nano /etc/whonix_firewall.d/30_whonix_workstation_default.conf
3. Add.
Note: Replace 9230 with the actual port you would like to open.
INTERNAL_OPEN_PORTS+=" 9230 "
4. Save.
5. Reload Whonix-Workstation ™ Firewall.
If you are using Qubes-Whonix ™, complete the following steps.
Qubes App Launcher (blue/grey "Q") → Whonix-Workstation ™ App Qube (commonly named anon-whonix) → Reload Whonix ™ Firewall
If you are using a graphical Whonix-Workstation ™, complete the following steps.
Start Menu → Applications → System → Reload Whonix ™ Firewall
If you are using a terminal-only Whonix-Workstation ™, run.
sudo whonix_firewall
The procedure is complete.
How-to: Open All Ports in Whonix-Workstation ™ Firewall[edit]
This procedure is usually not required and should be avoided.
This allows for an incoming connection from Whonix-Gateway ™. This is useful for various purposes such as making Onion Services reachable.
1. Modify Whonix-Workstation ™ User Firewall Settings
Note: If no changes have yet been made to Whonix ™ Firewall Settings, then the Whonix ™ User Firewall Settings File /etc/whonix_firewall.d/50_user.conf appears empty (because it does not exist). This is expected.
If using Qubes-Whonix ™, complete these steps.
In Whonix-Workstation ™ App Qube. Make sure folder /usr/local/etc/whonix_firewall.d exists.
sudo mkdir -p /usr/local/etc/whonix_firewall.d
Qubes App Launcher (blue/grey "Q") → Whonix-Workstation ™ App Qube (commonly called anon-whonix) → Whonix ™ User Firewall Settings
If using a graphical Whonix-Workstation ™, complete these steps.
Start Menu → Applications → System → User Firewall Settings
If using a terminal-only Whonix-Workstation ™, complete these steps.
Open /usr/local/etc/whonix_firewall.d/50_user.conf with root rights.
sudoedit /usr/local/etc/whonix_firewall.d/50_user.conf
For more help, press on Expand on the right.
Note: This is for informational purposes only! Do not edit /etc/whonix_firewall.d/30_whonix_workstation_default.conf.
The Whonix ™ Global Firewall Settings File /etc/whonix_firewall.d/30_whonix_workstation_default.conf contains default settings and explanatory comments about their purpose. By default, the file is opened read-only and is not meant to be directly edited. Below, it is recommended to open the file without root rights. The file contains an explanatory comment on how to change firewall settings.
## Please use "/etc/whonix_firewall.d/50_user.conf" for your custom configuration,
## which will override the defaults found here. When {{project_name}} is updated, this
## file may be overwritten.
Also see: Whonix modular flexible .d style configuration folders.
To view the file, follow these instructions.
If using Qubes-Whonix ™, complete these steps.
Qubes App Launcher (blue/grey "Q") → Template: whonix-ws-16 → Whonix Global Firewall Settings
If using a graphical Whonix-Workstation ™, complete these steps.
Start Menu → Applications → Settings → Global Firewall Settings
If using a terminal-only Whonix-Workstation ™, complete these steps.
In Whonix-Workstation ™, open the whonix_firewall configuration file in an editor.
nano /etc/whonix_firewall.d/30_whonix_workstation_default.conf
2. Add.
EXTERNAL_OPEN_ALL=true
Save.
3. Reload Whonix-Workstation ™ Firewall.
If you are using Qubes-Whonix ™, complete the following steps.
Qubes App Launcher (blue/grey "Q") → Whonix-Workstation ™ App Qube (commonly named anon-whonix) → Reload Whonix ™ Firewall
If you are using a graphical Whonix-Workstation ™, complete the following steps.
Start Menu → Applications → System → Reload Whonix ™ Firewall
If you are using a terminal-only Whonix-Workstation ™, run.
sudo whonix_firewall
The procedure is complete.
How-to: Restrict Outgoing IPs in Whonix-Workstation ™ Firewall[edit]
This allows to restrict which outgoing IPs can be reached from inside Whonix-Workstation ™. This might be useful for single use-case VMs (specifically App Qubes).
Not yet available. Will be available in near future.
1. Modify Whonix-Workstation ™ User Firewall Settings
Note: If no changes have yet been made to Whonix ™ Firewall Settings, then the Whonix ™ User Firewall Settings File /etc/whonix_firewall.d/50_user.conf appears empty (because it does not exist). This is expected.
If using Qubes-Whonix ™, complete these steps.
In Whonix-Workstation ™ App Qube. Make sure folder /usr/local/etc/whonix_firewall.d exists.
sudo mkdir -p /usr/local/etc/whonix_firewall.d
Qubes App Launcher (blue/grey "Q") → Whonix-Workstation ™ App Qube (commonly called anon-whonix) → Whonix ™ User Firewall Settings
If using a graphical Whonix-Workstation ™, complete these steps.
Start Menu → Applications → System → User Firewall Settings
If using a terminal-only Whonix-Workstation ™, complete these steps.
Open /usr/local/etc/whonix_firewall.d/50_user.conf with root rights.
sudoedit /usr/local/etc/whonix_firewall.d/50_user.conf
For more help, press on Expand on the right.
Note: This is for informational purposes only! Do not edit /etc/whonix_firewall.d/30_whonix_workstation_default.conf.
The Whonix ™ Global Firewall Settings File /etc/whonix_firewall.d/30_whonix_workstation_default.conf contains default settings and explanatory comments about their purpose. By default, the file is opened read-only and is not meant to be directly edited. Below, it is recommended to open the file without root rights. The file contains an explanatory comment on how to change firewall settings.
## Please use "/etc/whonix_firewall.d/50_user.conf" for your custom configuration,
## which will override the defaults found here. When {{project_name}} is updated, this
## file may be overwritten.
Also see: Whonix modular flexible .d style configuration folders.
To view the file, follow these instructions.
If using Qubes-Whonix ™, complete these steps.
Qubes App Launcher (blue/grey "Q") → Template: whonix-ws-16 → Whonix Global Firewall Settings
If using a graphical Whonix-Workstation ™, complete these steps.
Start Menu → Applications → Settings → Global Firewall Settings
If using a terminal-only Whonix-Workstation ™, complete these steps.
In Whonix-Workstation ™, open the whonix_firewall configuration file in an editor.
nano /etc/whonix_firewall.d/30_whonix_workstation_default.conf
2. Add.
Note: Replace the example IP address 95.216.25.250 with an actual IP address. Multiple similar lines are supported.
outgoing_allow_ip_list+=" 95.216.25.250 "
Save.
3. Reboot or Reload Whonix-Workstation ™ Firewall.
If you are using Qubes-Whonix ™, complete the following steps.
Qubes App Launcher (blue/grey "Q") → Whonix-Workstation ™ App Qube (commonly named anon-whonix) → Reload Whonix ™ Firewall
If you are using a graphical Whonix-Workstation ™, complete the following steps.
Start Menu → Applications → System → Reload Whonix ™ Firewall
If you are using a terminal-only Whonix-Workstation ™, run.
sudo whonix_firewall
4. The procedure is complete.
To test:
curl.anondist-orig 95.216.25.250
Disable Whonix-Workstation ™ Firewall Until Reboot[edit]
Perform this action inside Whonix-Workstation ™ -- see Firewall Unload.
Permanently Disable Whonix-Workstation ™ Firewall[edit]
Perform this action inside Whonix-Workstation ™.
sudo systemctl mask whonix-firewall
No firewall rules will load after rebooting.
Ping[edit]
Ping commands should not work for external addresses from the Whonix-Workstation ™. The reason is ICMP traffic [archive] is not proxied and it is filtered by Whonix ™ Firewall (/usr/bin/whonix_firewall) because Tor does not support UDP. For example, ping google.com will not work. To make ping functional, see the Allow UDP chapter.
When SUID Disabler and Permission Hardener is enabled in the future, [4] the CAP_NET_RAW capability will be removed from ping to reduce the attack surface since it would not work anyway. [5] When that occurs, to re-enable ping functionality refer to the Whitelist Specific Capability Binaries chapter.
Forum discussion:
Ping operation permitted? [archive]
Allow UDP[edit]
The Tor software does not yet support UDP, [6] although Tor provides a DnsPort.
If UDP is urgently required in Whonix ™, a limited workaround is provided. For the most secure method, see Tunnel UDP over Tor.
To allow UDP, complete the following steps.
1. Modify Whonix-Workstation ™ User Firewall Settings
Note: If no changes have yet been made to Whonix ™ Firewall Settings, then the Whonix ™ User Firewall Settings File /etc/whonix_firewall.d/50_user.conf appears empty (because it does not exist). This is expected.
If using Qubes-Whonix ™, complete these steps.
In Whonix-Workstation ™ App Qube. Make sure folder /usr/local/etc/whonix_firewall.d exists.
sudo mkdir -p /usr/local/etc/whonix_firewall.d
Qubes App Launcher (blue/grey "Q") → Whonix-Workstation ™ App Qube (commonly called anon-whonix) → Whonix ™ User Firewall Settings
If using a graphical Whonix-Workstation ™, complete these steps.
Start Menu → Applications → System → User Firewall Settings
If using a terminal-only Whonix-Workstation ™, complete these steps.
Open /usr/local/etc/whonix_firewall.d/50_user.conf with root rights.
sudoedit /usr/local/etc/whonix_firewall.d/50_user.conf
For more help, press on Expand on the right.
Note: This is for informational purposes only! Do not edit /etc/whonix_firewall.d/30_whonix_workstation_default.conf.
The Whonix ™ Global Firewall Settings File /etc/whonix_firewall.d/30_whonix_workstation_default.conf contains default settings and explanatory comments about their purpose. By default, the file is opened read-only and is not meant to be directly edited. Below, it is recommended to open the file without root rights. The file contains an explanatory comment on how to change firewall settings.
## Please use "/etc/whonix_firewall.d/50_user.conf" for your custom configuration,
## which will override the defaults found here. When {{project_name}} is updated, this
## file may be overwritten.
Also see: Whonix modular flexible .d style configuration folders.
To view the file, follow these instructions.
If using Qubes-Whonix ™, complete these steps.
Qubes App Launcher (blue/grey "Q") → Template: whonix-ws-16 → Whonix Global Firewall Settings
If using a graphical Whonix-Workstation ™, complete these steps.
Start Menu → Applications → Settings → Global Firewall Settings
If using a terminal-only Whonix-Workstation ™, complete these steps.
In Whonix-Workstation ™, open the whonix_firewall configuration file in an editor.
nano /etc/whonix_firewall.d/30_whonix_workstation_default.conf
2. Add. [7]
firewall_allow_udp=true
Save.
3. Reload Whonix-Workstation ™ Firewall.
If you are using Qubes-Whonix ™, complete the following steps.
Qubes App Launcher (blue/grey "Q") → Whonix-Workstation ™ App Qube (commonly named anon-whonix) → Reload Whonix ™ Firewall
If you are using a graphical Whonix-Workstation ™, complete the following steps.
Start Menu → Applications → System → Reload Whonix ™ Firewall
If you are using a terminal-only Whonix-Workstation ™, run.
sudo whonix_firewall
The procedure is complete. Whonix-Workstation ™ firewall will now permit UDP.
Purpose[edit]
Refer to Whonix-Workstation ™ firewall design notes [archive] for further information.
See Also[edit]
- Whonix-Workstation ™ is Firewalled
- Open a Port(s) in Whonix ™ and Port Forwarding
- Whonix ™ Configuration Drop-In Folders
- https://github.com/Whonix/whonix-firewall/blob/master/etc/whonix_firewall.d/30_whonix_workstation_default.conf [archive]
- https://github.com/Whonix/whonix-firewall/blob/master/usr/bin/whonix-workstation-firewall [archive]
- https://github.com/Whonix/whonix-firewall [archive]
- Whonix-Gateway ™ Firewall
Footnotes[edit]
- ↑ https://github.com/Whonix/whonix-ws-firewall/blob/Whonix13/man/whonix_firewall.8.ronn [archive]
- ↑
man whonix_firewall
- ↑ https://phabricator.whonix.org/T533#11025 [archive]
- ↑ It was not enabled by default at the time of writing.
- ↑ https://github.com/Whonix/anon-apps-config/blob/master/etc/permission-hardening.d/30_ping.conf [archive]
- ↑ https://gitlab.torproject.org/legacy/trac/-/issues/7830 [archive]
- ↑
Whonix ™ is Supported by Evolution Host DDoS Protected VPS. Stay private and get your VPS with Bitcoin or Monero.
|
100px |
| Fosshost | About Advertisements |
Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki
.svg.png&filetimestamp=20200623163525&.html){kind=small}
Want to help create awesome, up-to-date screenshots for the Whonix ™ wiki? Help is most welcome!
Priority Support | Investors | Professional Support
Whonix ™ | © ENCRYPTED SUPPORT LP | 
Freedom Software / 
Open Source (Why?)
The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.