Iptables block network access until sdwdate succeeded. Reasons:
- cover cases where sdwdate is slow or failing
- catch race conditions where sdwdate is slower than a user starting a client program, server or daemon that already issued network traffic and leaked the time
Previously this was implemented in form of the timesync progress bar. But such a progress bar was bad for various reasons:
- not enforced, easily ignored
- does not stop automatically starting applications and/or the user from using the network
- a popup which is bad for usability
- two or more [when using multiple Whonix-Workstation's] on the same desktop when using Qubes [due to its nature of using seamless mode]
A follow up task of T300.
Implementation:
- after boot whonix-gw-firewall / whonix-ws-firewall should block the network for everything but Tor and sdwdate
- should create a /var/run/whonix_firewall/first_run_current_boot.status file
- when Whonix firewall gets restarted and /var/run/whonix_firewall/first_run_current_boot.status already exists, it should unblock the network and create a status file /var/run/whonix_firewall/consecutive_run.status.
- after the first time synchronization succeeded, sdwdate should issue unlocking the network
- sdwdate already creates a status file /var/run/sdwdate/first_success, then
- reload whonix_firewall
- enabled by default
- configuration options to disable all of this
- all of this should safeguard allowing the user to allow network access even if one day a case is met where sdwdate is permanently failing
- sdwdate-gui should shows that status of network time synchronization
Testing:
sudo rm /var/run/sdwdate/* && sudo service sdwdate restart && sudo service tor restart && whonixcheck_tor_bootstrap_wait_max=10 whonixcheck --gui --cli
#TODO:
Better notification than sdwdate-gui if network access is limited or full.