timesync-fail-closed means sdwdate did not succeed yet. Networking for all but Tor and sdwdate should still be locked.
Description
Details
- Impact
- Normal
Related Objects
- Mentioned Here
- T533: iptables block network access until sdwdate succeeded
Event Timeline
Not sure how to test this. I read through T533 and found this command but it does not restrict Apt traffic.
sudo rm /var/run/sdwdate/* && sudo service sdwdate restart && sudo service tor restart && whonixcheck_tor_bootstrap_wait_max=10 whonixcheck --gui --cli
Also edited :
/etc/whonix_firewall.d/30_whonix_workstation_default.conf
Changed firewall_mode=full -> firewall_mode=timesync-fail-closed but Apt traffic still possible.
Obviously I'm not going in the right directions with this. Or doing something wrong?
Got it. Set firewall_mode=timesync-fail-closed in sys-whonix and reload whonix_firewall. When that is done both whonix-ws-14 and whonix-gw-14 upgrades fail.
Ign:1 tor+http://sgvtcaew4bxjd7ln.onion stretch/updates InRelease Ign:2 http://vwakviie2ienjx6t.onion/debian stretch-backports InRelease Err:3 tor+http://sgvtcaew4bxjd7ln.onion stretch/updates Release 500 Unable to connect [...] E: The repository 'tor+http://sgvtcaew4bxjd7ln.onion stretch/updates Release' does no longer have a Release file. N: Updating from such a repository can't be done securely, and is therefore disabled by default. N: See apt-secure(8) manpage for repository creation and user configuration details.
Yes. To simulate being in timesync-fail-closed mode:
In sys-whonix:
sudo firewall_mode=timesync-fail-closed whonix_firewall
Looks like ticket is closeable?
Yes (closeable), updates were not possible in timesyc-fail-closed mode. Nothing more to do with this ticket.