{{Header}} {{#seo: |description=General information about {{project_name_gateway_long}} firewall. How-To: Changing firewall settings and Open a Port in {{project_name_gateway_long}} Firewall. |image=Firewall146529640.png }} {{firewall_mininav}} [[File:Firewall146529640.png|thumb|200px]] {{intro| General information about {{project_name_gateway_short}} firewall. How-To: Changing firewall settings and Open a Port in {{project_name_gateway_short}} Firewall. }} = Introduction = {{project_name_long}} has an iptables rules script and firewall configuration file for both {{project_name_gateway_short}} and {{project_name_workstation_long}}. {{project_name_gateway_short}} firewall features include: <ref> https://github.com/{{project_name_short}}/whonix-firewall </ref> <div style="column-count:3;-moz-column-count:3;-webkit-column-count:3"> * transparent proxying * stream isolation * reject invalid packages * fail closed mechanism * optional VPN-Firewall * optional isolating proxy * optional incoming flash proxy * optional Tor relay </div> The firewall should not be removed unless you no longer wish to use {{project_name_short}}. = {{project_name_gateway_short}} Firewall Settings = {{Box|text= '''1.''' {{Firewall_Settings_Gateway}} '''2.''' Add setting. '''3.''' Save. '''4.''' {{Reload_Firewall}} '''5.''' Done. The procedure is complete. }} = How-to: Open an Incoming Port on {{project_name_gateway_short}} Firewall = == From the Outside == {{Firewall_Custom}} '''<code>Host</code> → <code>{{project_name_gateway_short}}</code> '''<code>Internet</code> → <code>Host</code> → <code>{{project_name_gateway_short}}</code> This will allow an incoming connection on {{project_name_gateway_short}} originating from: * if using VM: the host. * if using physical isolation: the Internet. {{Box|text= '''1.''' {{Firewall_Settings}} '''2.''' Add. Replace <code>80</code> with the actual port you would like to open. {{CodeSelect|code= EXTERNAL_OPEN_PORTS+=" 80 " }} '''3.''' Save. '''4.''' {{Reload_Firewall}} '''5.''' Done. The procedure is complete. }} == For Connections Originating from {{project_name_workstation_short}} == {{Firewall_Custom}} '''<code>{{project_name_workstation_short}}</code> → <code>{{project_name_gateway_short}}</code>''' This will allow incoming connections from {{project_name_workstation_short}} to {{project_name_gateway_short}}. It might be useful for [[Tor#Additional_SocksPorts|Tor additional <code>SocksPort</code>s]]. ('''<code>{{project_name_workstation_short}}</code> → <code>{{project_name_gateway_short}}</code> → Tor <code>SocksPort</code>''') {{Box|text= '''1.''' {{Firewall_Settings}} '''2.''' Add. Note: Replace <code>9230</code> with the actual port you would like to open. <ref> https://forums.whonix.org/t/internal-open-ports-setting/11404/1 </ref> {{CodeSelect|code= INTERNAL_OPEN_PORTS+=" 9230 " }} '''3.''' Save. '''4.''' {{Reload_Firewall}} The procedure is complete. }} = Disable Socksified Connections = The following setting prevents Whonix-Workstation from making sockified connections, i.e. applications talking to a Tor <code>SocksPort</code> listening on Whonix-Gateway. Add the following setting to Whonix-Gateway firewall configuration. {{CodeSelect|code= WORKSTATION_ALLOW_SOCKSIFIED=0 }} = Disable Transparent Proxying = What is transparent proxying? See [[Stream_Isolation#Transparent_Proxy|Transparent Proxy]]. How to disable transparent proxying? See [[Stream_Isolation#Disable_Transparent_Proxying|Disable Transparent Proxying]]. = See Also = * [[Ports|Open a Port(s) in {{project_name_short}} and Port Forwarding]] * [[Configuration_Files#Configuration_Drop-In_Folders|{{project_name_short}} Configuration Drop-In Folders]] * https://github.com/Whonix/whonix-firewall/blob/master/etc/whonix_firewall.d/30_whonix_gateway_default.conf * https://github.com/Whonix/whonix-firewall/blob/master/usr/bin/whonix-gateway-firewall * https://github.com/Whonix/whonix-firewall * [[{{project_name_workstation_short}}_Firewall|{{project_name_workstation_short}} Firewall]] * [[Install_Software#Whonix-Workstation_is_Firewalled|{{project_name_workstation_short}} is Firewalled]] * [[Redirect_Whonix-Workstation_Ports_or_Unix_Domain_Socket_Files_to_Whonix-Gateway|Redirect Whonix-Workstation Ports or Unix Domain Socket Files to Whonix-Gateway]] = Footnotes = {{reflist|close=1}} {{Footer}} [[Category:Documentation]]