Page MenuHomePhabricator

integrate whonix-firewall-plugin.sh into whonix-gw-firewall
Closed, ResolvedPublic

Description

During cleanup / refactoring of the qubes-whonix package, I was wondering...

For Whonix 12, I intent to move
https://github.com/adrelanos/qubes-whonix/blob/master/usr/lib/qubes-whonix/init/whonix-firewall-plugin.sh
directly into
https://github.com/Whonix/whonix-gw-firewall/blob/master/usr/bin/whonix_firewall

Is there any reason against that?

Then the GATEWAY_IPv4_DROP_INVALID_INCOMING_PACKAGES_POST_HOOK (https://github.com/adrelanos/qubes-whonix/blob/master/etc/whonix_firewall.d/40_qubes) could be deprecated.

I would find that easier to grasp and maintain. From perspective of upgrading packages, time required for that, nothing would change.

@nrgaway

Details

Impact
Normal

Event Timeline

Patrick updated the task description. (Show Details)Aug 12 2015, 5:03 AM
Patrick set Impact to Normal.
Patrick added subscribers: marmarek, nrgaway, troubadour and 2 others.
Patrick created this task.
Patrick raised the priority of this task from to Normal.

It would be nice to eliminate anything that is not Qubes specific in qubes-whonix pacakge completely, or as much as possible. Anything you can take out of it by intergrating into Whonix would be a good thing.

I also think template-whonix should be replaced by Whonix in two stages.

Stage 1:
Merge template-whonix into Whonix; directory structure can easily be re-worked for template-whonix
Include qubes-whonix package in your packages

Stage 2:
qubes-builder could then build the Whonix pacakges in the build stage (make qubes-vm) and they would then be available to install in the build-template stage (make template) thus allowing for a fully integrated Whonix build. This involves adding the Whonix packages to COMPONENTS in the builder.conf file in template-whonix and then they will be downloaded to qubes-src directory

Patrick changed the task status from Open to Review.Aug 12 2015, 3:45 PM

Stage 1 sounds good.

Not sure about Stage 2. Building all packages in the (jessie) chroot so build dependencies are not installed within the image would be nice. No idea how much work that would be. qubes-builder would have to be modified to be able to build Whonix's packages. (With dynamic replace of debian/rules hack - building the same packages using two different ways is inviting trouble.) qubes-builder could even build those packages using genmkfile - since genmkfile is usable without installing it on the build machine. (Thanks to environment variable GENMKFILE_PATH.)

Anyhow. Implemented this ticket.


integrated Qubes-Whonix firewall rules (only load when run in Qubes) so those can be removed from the qubes-whonix package, deprecated GATEWAY_IPv4_DROP_INVALID_INCOMING_PACKAGES_POST_HOOK - https://phabricator.whonix.org/T395:
https://github.com/Whonix/whonix-gw-firewall/commit/e0b5d9e2e9d60c634b48584961c7493adc517ead

merged whonix-firewall-plugin.sh into whonix-gw-firewall - https://phabricator.whonix.org/T395:
https://github.com/adrelanos/qubes-whonix/commit/d0ff132edb201deca855f351c81da48d797d6a3f

integrated Qubes-Whonix firewall rules (only load when run in Qubes) so those can be removed from the qubes-whonix package, deprecated GATEWAY_IPv4_DROP_INVALID_INCOMING_PACKAGES_POST_HOOK - https://phabricator.whonix.org/T395 :
https://github.com/Whonix/whonix-gw-firewall/commit/e0b5d9e2e9d60c634b48584961c7493adc517ead

refactoring Qubes firewall rules, 'export' for variables INT_IF and INT_TIF not required, therefore removed:
https://github.com/Whonix/whonix-gw-firewall/commit/a88586071ba4026fdb3b025c393ff9a8d7dba355

whonix-gw-firewall: refactoring, set INT_IF and INT_TIF for Qubes earlier (below the regular setting of these variables):
https://github.com/Whonix/whonix-gw-firewall/commit/907f999c9ddc6d9b7bec9eb04c8a5f503cd87c2f

Patrick closed this task as Resolved.Nov 19 2015, 8:48 PM
Patrick claimed this task.