{{Header}} {{#seo: |description=How-To: Open a Port in {{project_name_workstation_long}} Firewall, Restrict Outgoing IPs, Additional User Custom Firewall Rules and other settings for advanced users. |image=Firewall-34227640.png }} [[File:Firewall-34227640.png|250px|thumb]]
{{project_name_gateway_short}}
→ {{project_name_workstation_short}}
→ server running inside {{project_name_workstation_short}}
This allows for an incoming connection from {{project_name_gateway_short}}. This is useful for various purposes such as:
* A) making [[Onion Services]] reachable; and
* B) [[Whonix-Workstation to Whonix-Workstation Connections]].
{{Box|text=
'''1.''' {{Firewall_Settings_Workstation}}
'''2.''' Add.
Replace 80
with the actual port you would like to open.
{{CodeSelect|code=
EXTERNAL_OPEN_PORTS+=" 80 "
}}
'''3.''' Save.
'''4.''' {{Reload_Firewall_ws}}
The procedure is complete.
}}
== Open an Outgoing Port ==
This allows for an outgoing connection to {{project_name_gateway_short}}.
'''{{project_name_workstation_short}}
→ {{project_name_gateway_short}}
→ Tor SocksPort
This might be useful for [[Tor#Additional_SocksPorts|Tor additional SocksPort
s]].
{{Firewall_Custom}}
{{Box|text=
'''1.''' Reminder on opening outgoing ports.
This is usually not required since {{project_name_workstation_short}} firewall does not restrict what ports on {{project_name_gateway_short}} are reachable if these are open in {{project_name_gateway_short}} firewall.
It is only useful to prevent connections to Tor SocksPorts in timesync-fail-closed firewall mode.
https://phabricator.whonix.org/T533#11025
'''2.''' {{Firewall_Settings_Workstation}}
'''3.''' Add.
Note: Replace 9230
with the actual port you would like to open.
{{CodeSelect|code=
INTERNAL_OPEN_PORTS+=" 9230 "
}}
'''4.''' Save.
'''5.''' {{Reload_Firewall_ws}}
The procedure is complete.
}}
= How-to: Open All Ports in {{project_name_workstation_short}} Firewall =
'''{{project_name_gateway_short}}
→ {{project_name_workstation_short}}
→ server running inside {{project_name_workstation_short}}
This allows for an incoming connection from {{project_name_gateway_short}}. This is useful for various purposes such as making [[Onion Services]] reachable.
{{mbox
| type = notice
| image = [[File:Ambox_notice.png|40px|alt=Info]]
| text = This procedure is usually not required and should be avoided.
}}
{{Box|text=
'''1.''' {{Firewall_Settings_Workstation}}
'''2.''' Add.
{{CodeSelect|code=
EXTERNAL_OPEN_ALL=true
}}
Save.
'''3.''' {{Reload_Firewall_ws}}
The procedure is complete.
}}
= How-to: Restrict Outgoing IPs in {{project_name_workstation_short}} Firewall =
This allows to restrict which outgoing IPs can be reached from inside {{project_name_workstation_short}}. This might be useful for single use-case VMs (specifically App Qubes).
'''Testers only!'''
{{Box|text=
'''1.''' {{Firewall_Settings_Workstation}}
'''2.''' Add.
Note: Replace the example IP address 95.216.25.250
with an actual IP address. Multiple similar lines are supported.
{{CodeSelect|code=
outgoing_allow_ip_list+=" 95.216.25.250 "
}}
Save.
'''3.''' '''Reboot''' or {{Reload_Firewall_ws}}
'''4.''' The procedure is complete.
}}
To test:
{{CodeSelect|code=
curl.anondist-orig 95.216.25.250
}}
= Disable {{project_name_workstation_short}} Firewall Until Reboot =
To disable until reboot.
Perform this action inside {{project_name_workstation_short}} -- see [[Dev/Firewall_Unload|Firewall Unload]].
= Permanently Disable {{project_name_workstation_short}} Firewall =
Perform this action inside {{project_name_workstation_short}}.
(In Qubes-Whonix: In Template.)
{{CodeSelect|code=
sudo systemctl mask whonix-firewall
}}
No firewall rules will load after rebooting.
= Additional User Custom Firewall Rules =
Testers only! [[Unsupported]]!
This might be possible by using a systemd drop-in file.
'''1.''' Firewall refactoring. (Optional.)
It would be good to master the skill of [https://www.kicksecure.com/wiki/Dev/Firewall_Refactoring Firewall Refactoring] first.
'''2.''' {{Open with root rights|filename=
/usr/bin/user-firewall-script
}}
'''3.''' Paste.
NOTE: Replace ## custom user firewall rules here
with the actual user custom firewall rules.
{{CodeSelect|code=
#!/bin/bash
## custom user firewall rules here
}}
'''4.''' Save and exit.
'''5.''' Make executable.
{{CodeSelect|code=
sudo chmod +x /usr/bin/user-firewall-script
}}
'''6.''' Manually test the user firewall script.
{{CodeSelect|code=
sudo user-firewall-script
}}
Once the user firewall script is functional, the user can proceed to automate loading of the user firewall script.
'''7.''' Create folder /lib/systemd/system/whonix-firewall.service.d
.
{{CodeSelect|code=
sudo mkdir -p /lib/systemd/system/whonix-firewall.service.d
}}
'''8.''' {{Open with root rights|filename=
/lib/systemd/system/whonix-firewall.service.d/50_user.conf
}}
'''9.''' Paste.
{{CodeSelect|code=
[Service]
ExecStartPost=/usr/libexec/user-firewall-script
}}
'''10.''' Save and exit.
'''11.''' Reload systemd.
{{CodeSelect|code=
sudo systemctl daemon-reload
}}
'''12.''' {{Reload_Firewall_ws}}
'''13.''' Done.
Firewall rules should now be automatically load after reboot. It would be prudent to verify that using firewall refactoring method.
= Ping =
Ping commands should not work for external addresses from the {{project_name_workstation_short}}. The reason is [https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol ICMP traffic] is not proxied and it is filtered by {{project_name_short}} Firewall ({{W_Firewall}}
) because [[Tor#UDP|Tor does not support UDP]]. For example, ping google.com
will not work. To make ping functional, see the [[#Allow UDP|Allow UDP]] chapter.
[[SUID Disabler and Permission Hardener]] disables the SUID from ping
to reduce the attack surface since it would not work anyway.
https://github.com/Whonix/anon-apps-config/blob/master/etc/permission-hardener.d/30_ping.conf
In the future, capability removal of CAP_NET_RAW
might be useful if Debian starts doing that.
When that occurs, to re-enable ping
functionality refer to the [[SUID_Disabler_and_Permission_Hardener#Whitelist_Specific_Capability_Binaries|Whitelist Specific Capability Binaries]] chapter. This of course does not resolve the issue that Tor does not support UDP.
Forum discussion: