Page MenuHomePhabricator

Prevent whonix_firewall from starting automatically
Closed, ResolvedPublic

Description

In Qubes, the network interfaces are loaded manually. Now that whonix_firewall is being started with the ifup-pre.d scripts, it is always starting early. I could remove it completely but that will cause upgrade issues.

It took me 3 hours to work around the file being there today. Most of the time was figuring out what was preventing connections to the gateways secure update server from the TemplateVM.

Normally, in the TemplateVM, I connect to the Gateway to confirm there is secure update server available. If there is, a proxy is set for apt-get and that is the only traffic allowed in the Template VM. If no server is available, I completely lock down the iptables rules. Whonix firewall rules were preventing the initial connection and I add to add some rule to allow outgoing connection to 10.137.255.254:8082.

I would prefer to be able to disable the loading of the firewall in the first place. I load it manually as well.

I also needed to make sure all the replace-ip functions were done well in advance of networking because of this.

One last issue I came across when reloading whonix_firewall was a locked iptables database since some other app had a lock on it at the time. In Jessie you can use iptables --wait ... to prevent this type of failure. This only happened once, but worth noting.

Details

Impact
High

Event Timeline

nrgaway created this task.Jun 3 2015, 10:40 PM
nrgaway updated the task description. (Show Details)
nrgaway raised the priority of this task from to Needs Triage.
nrgaway added a project: qubes-whonix 11.
nrgaway set Impact to Needs Triage.
nrgaway added subscribers: nrgaway, Patrick.

Don't work around this. Try to view this from Whonix perspective where you're upstream yourself. Where upstream can make any changes required to make this work. No need to see qubes-whonix as a fork that needs to work around things. We modify the whonix-(gw|ws)-firewall packages so those are also well suited for Qubes-Whonix.

Probably no need to remove the /etc/network/if-pre-up.d/30_whonix_firewall hook, no? It just runs /usr/bin/whonix_firewall. And we can make any changes required in /usr/bin/whonix_firewall to make this work.

For example in /usr/bin/whonix_firewall line ~55 we could add something like this...

if [ -f "/path/to/some/status-file" ]; then
   true "some debug/explain info msg"
   exit 0
fi

Or we could make /etc/network/if-pre-up.d/30_whonix_firewall...

#!/bin/sh

## This file is part of Whonix.
## Copyright (C) 2012 - 2014 Patrick Schleizer <adrelanos@riseup.net>
## See the file COPYING for copying conditions.

set -e

if [ -f "/usr/lib/qubes" ]; then
   true "some debug/explain info msg"
   exit 0
fi

/usr/bin/whonix_firewall

Is any of these approaches suitable?

One last issue I came across when reloading whonix_firewall was a locked iptables database since some other app had a lock on it at the time. In Jessie you can use iptables --wait ... to prevent this type of failure. This only happened once, but worth noting.

No idea about that one.

Patrick triaged this task as High priority.Jun 3 2015, 11:02 PM
Patrick added a project: Whonix 11.
Patrick changed Impact from Needs Triage to High.

I currently have it tied into the GATEWAY_IPv4_DROP_INVALID_INCOMING_PACKAGES_POST_HOOK hook.

It would be better to have something in the line 55 range though to be able to be sure nothing loads.

What I want is for the firewall not to load during if-up stage, and will be started manually later after qubes network is configured, but before it's activated. I can control this with a service.

actually I do prefer the /etc/network/if-pre-up.d/30_whonix_firewall option best. The condition you can set is same as the rest; !/usr/lib/qubes-whonix. Then I can take care of starting firewall when its confirmed network is configured properly.

In T339#5191, @nrgaway wrote:

I currently have it tied into the GATEWAY_IPv4_DROP_INVALID_INCOMING_PACKAGES_POST_HOOK hook.

Not great.

It would be better to have something in the line 55 range though to be able to be sure nothing loads.

Yes.

What I want is for the firewall not to load during if-up stage, and will be started manually later after qubes network is configured, but before it's activated. I can control this with a service.

actually I do prefer the /etc/network/if-pre-up.d/30_whonix_firewall option best. The condition you can set is same as the rest; !/usr/lib/qubes-whonix. Then I can take care of starting firewall when its confirmed network is configured properly.

You mean by (a) /lib/systemd/system/unit.service.d/ snippet(s)? That sounds good. [Perhaps the networking service could be extended by a Requires= or so.]

I tried to use a systemd drop in snippet but it did not work for ifup@.service.

Maybe the best option is as you suggested earlier since it would prevent the firewall from loading at all at the network stage:

/etc/network/if-pre-up.d/30_whonix_firewall (if script will work there):

#!/bin/sh

## This file is part of Whonix.
## Copyright (C) 2012 - 2014 Patrick Schleizer <adrelanos@riseup.net>
## See the file COPYING for copying conditions.

set -e

if [ ! -e "/usr/lib/qubes" ]; then
  /usr/bin/whonix_firewall
fi

Slightly different.

#!/bin/sh

## This file is part of Whonix.
## Copyright (C) 2012 - 2014 Patrick Schleizer <adrelanos@riseup.net>
## See the file COPYING for copying conditions.

set -e

if [ -e "/usr/lib/qubes" ]; then
   true "$0: /usr/lib/qubes exits, exiting. See https://phabricator.whonix.org/T339 for details."
   exit 0
fi

/usr/bin/whonix_firewall

Will commit soon.

Patrick claimed this task.Jun 15 2015, 6:17 AM
Patrick closed this task as Resolved.Aug 19 2015, 7:26 PM