{{Header}}
{{#seo:
|description=General information about {{project_name_gateway_long}} firewall. How-To: Changing firewall settings and Open a Port in {{project_name_gateway_long}} Firewall. 
|image=Firewall146529640.png
}}
{{firewall_mininav}}
[[File:Firewall146529640.png|thumb|200px]]
{{intro|
General information about {{project_name_gateway_short}} firewall. How-To: Changing firewall settings and Open a Port in {{project_name_gateway_short}} Firewall.
}}
= Introduction =
{{project_name_long}} has an iptables rules script and firewall configuration file for both {{project_name_gateway_short}} and {{project_name_workstation_long}}. {{project_name_gateway_short}} firewall features include: <ref>
https://github.com/{{project_name_short}}/whonix-firewall
</ref>

<div style="column-count:3;-moz-column-count:3;-webkit-column-count:3">
* transparent proxying
* stream isolation
* reject invalid packages
* fail closed mechanism
* optional VPN-Firewall
* optional isolating proxy
* optional incoming flash proxy
* optional Tor relay
</div>

The firewall should not be removed unless you no longer wish to use {{project_name_short}}.

= {{project_name_gateway_short}} Firewall Settings =

{{Box|text=
'''1.''' {{Firewall_Settings_Gateway}}

'''2.''' Add setting.

'''3.''' Save.

'''4.''' {{Reload_Firewall}}

'''5.''' Done.

The procedure is complete.
}}

= How-to: Open an Incoming Port on {{project_name_gateway_short}} Firewall =

== From the Outside ==

{{Firewall_Custom}}

'''<code>Host</code> &rarr; <code>{{project_name_gateway_short}}</code>

'''<code>Internet</code> &rarr; <code>Host</code> &rarr; <code>{{project_name_gateway_short}}</code>

This will allow an incoming connection on {{project_name_gateway_short}} originating from:

* if using VM: the host.
* if using physical isolation: the Internet.

{{Box|text=

'''1.''' {{Firewall_Settings}}

'''2.''' Add.

Replace <code>80</code> with the actual port you would like to open.

{{CodeSelect|code=
EXTERNAL_OPEN_PORTS+=" 80 "
}}

'''3.''' Save.

'''4.''' {{Reload_Firewall}}

'''5.''' Done.

The procedure is complete.
}}

== For Connections Originating from {{project_name_workstation_short}} ==

{{Firewall_Custom}}

'''<code>{{project_name_workstation_short}}</code> &rarr; <code>{{project_name_gateway_short}}</code>'''

This will allow incoming connections from {{project_name_workstation_short}} to {{project_name_gateway_short}}.

It might be useful for [[Tor#Additional_SocksPorts|Tor additional <code>SocksPort</code>s]]. ('''<code>{{project_name_workstation_short}}</code> &rarr; <code>{{project_name_gateway_short}}</code> &rarr; Tor <code>SocksPort</code>''')

{{Box|text=

'''1.''' {{Firewall_Settings}}

'''2.''' Add.

Note:  Replace <code>9230</code> with the actual port you would like to open. <ref>
https://forums.whonix.org/t/internal-open-ports-setting/11404/1
</ref>

{{CodeSelect|code=
INTERNAL_OPEN_PORTS+=" 9230 "
}}

'''3.''' Save.

'''4.''' {{Reload_Firewall}}

The procedure is complete.
}}

= Disable Socksified Connections =
The following setting prevents Whonix-Workstation from making sockified connections, i.e. applications talking to a Tor <code>SocksPort</code> listening on Whonix-Gateway.

Add the following setting to Whonix-Gateway firewall configuration.

{{CodeSelect|code=
WORKSTATION_ALLOW_SOCKSIFIED=0
}}

= Disable Transparent Proxying =
What is transparent proxying? See [[Stream_Isolation#Transparent_Proxy|Transparent Proxy]].

How to disable transparent proxying? See [[Stream_Isolation#Disable_Transparent_Proxying|Disable Transparent Proxying]].

= See Also =
* [[Ports|Open a Port(s) in {{project_name_short}} and Port Forwarding]]
* [[Configuration_Files#Configuration_Drop-In_Folders|{{project_name_short}} Configuration Drop-In Folders]]
* https://github.com/Whonix/whonix-firewall/blob/master/etc/whonix_firewall.d/30_whonix_gateway_default.conf
* https://github.com/Whonix/whonix-firewall/blob/master/usr/bin/whonix-gateway-firewall
* https://github.com/Whonix/whonix-firewall
* [[{{project_name_workstation_short}}_Firewall|{{project_name_workstation_short}} Firewall]]
* [[Install_Software#Whonix-Workstation_is_Firewalled|{{project_name_workstation_short}} is Firewalled]]
* [[Redirect_Whonix-Workstation_Ports_or_Unix_Domain_Socket_Files_to_Whonix-Gateway|Redirect Whonix-Workstation Ports or Unix Domain Socket Files to Whonix-Gateway]]

= Footnotes =
{{reflist|close=1}}
{{Footer}}
[[Category:Documentation]]