Page MenuHomePhabricator
Feed Advanced Search

Mon, Oct 21

Patrick added a comment to T509: Consider nftables as a replacement for iptables.

NonaSuomy:

Added requested NFTables example from duclicsic #netfilter freenode.

Mon, Oct 21, 7:33 AM · iptables, vpn-firewall, whonix-ws-firewall, whonix-gw-firewall, Whonix, refactoring, research

Thu, Oct 17

HulaHoop added a comment to T509: Consider nftables as a replacement for iptables.

Starting with Bullseye nftables will be the default:

Thu, Oct 17, 7:29 PM · iptables, vpn-firewall, whonix-ws-firewall, whonix-gw-firewall, Whonix, refactoring, research

Jun 20 2019

madaidan added a comment to T875: fix fail closed mechanism.

I don't think anything Debian does would modify any iptables rules nor Whonix ships any code to disable the firewall. So "disables the firewall for a minute" is non-existing. Would be bad if that happened.

Jun 20 2019, 10:26 PM · whonix-ws-firewall, whonix-gw-firewall, Whonix

Jun 14 2019

Patrick added a comment to T875: fix fail closed mechanism.

Seems quite hacky. What's the root cause for failing?

Probably, when the package is getting updated, it disables the firewall for a minute so it can apply the updates and the fail closed mechanism kicks in.

Jun 14 2019, 1:21 PM · whonix-ws-firewall, whonix-gw-firewall, Whonix

May 12 2019

madaidan added a comment to T875: fix fail closed mechanism.

Seems quite hacky. What's the root cause for failing?

May 12 2019, 2:14 PM · whonix-ws-firewall, whonix-gw-firewall, Whonix
Patrick added a comment to T729: network hardening.

Could you please review this? @HulaHoop

May 12 2019, 12:56 PM · whonix-ws-firewall, Whonix, whonix-gw-firewall
Patrick added a comment to T875: fix fail closed mechanism.

Seems quite hacky. What's the root cause for failing?

May 12 2019, 12:55 PM · whonix-ws-firewall, whonix-gw-firewall, Whonix

May 11 2019

Patrick assigned T729: network hardening to madaidan.
May 11 2019, 1:12 PM · whonix-ws-firewall, Whonix, whonix-gw-firewall

May 10 2019

madaidan added a comment to T729: network hardening.

My pull request enables all of these except martian packet logging which I doubt would be useful on Whonix.

May 10 2019, 7:18 PM · whonix-ws-firewall, Whonix, whonix-gw-firewall
madaidan added a comment to T875: fix fail closed mechanism.

Maybe disable it just for package upgrades?

May 10 2019, 6:19 PM · whonix-ws-firewall, whonix-gw-firewall, Whonix

Apr 6 2019

Patrick closed T503: have sane built-in defaults even if config files are non-existing as Resolved.

https://github.com/Whonix/anon-ws-disable-stacked-tor/commit/128e2312bf58a5c1cea3eecd74d1fa0a1a194b51

Apr 6 2019, 5:17 PM · Whonix 15, tb-updater, tb-starter, open-link-confirmation, rads, onion-grater (Control Port Filter Proxy), uwt, sdwdate, whonixcheck, whonix-ws-firewall, whonix-gw-firewall, Whonix
Patrick updated the task description for T503: have sane built-in defaults even if config files are non-existing.
Apr 6 2019, 5:17 PM · Whonix 15, tb-updater, tb-starter, open-link-confirmation, rads, onion-grater (Control Port Filter Proxy), uwt, sdwdate, whonixcheck, whonix-ws-firewall, whonix-gw-firewall, Whonix

Dec 7 2018

Patrick removed a project from T486: Disable conntrack helper?: Whonix 15.
Dec 7 2018, 12:08 PM · Whonix, whonix-ws-firewall, whonix-gw-firewall, enhancement, security
Patrick removed a project from T729: network hardening: Whonix 15.
Dec 7 2018, 12:08 PM · whonix-ws-firewall, Whonix, whonix-gw-firewall
Patrick removed a project from T533: iptables block network access until sdwdate succeeded: Whonix 15.
Dec 7 2018, 12:04 PM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate
Patrick removed a project from T875: fix fail closed mechanism: Whonix 15.
Dec 7 2018, 11:59 AM · whonix-ws-firewall, whonix-gw-firewall, Whonix

Dec 3 2018

HulaHoop added a comment to T509: Consider nftables as a replacement for iptables.

https://researchut.com/post/migrating-firewall-to-nftables/

Dec 3 2018, 6:02 PM · iptables, vpn-firewall, whonix-ws-firewall, whonix-gw-firewall, Whonix, refactoring, research

Nov 17 2018

Patrick triaged T875: fix fail closed mechanism as Normal priority.
Nov 17 2018, 6:12 AM · whonix-ws-firewall, whonix-gw-firewall, Whonix

Oct 1 2018

Patrick placed T503: have sane built-in defaults even if config files are non-existing up for grabs.
Oct 1 2018, 1:17 PM · Whonix 15, tb-updater, tb-starter, open-link-confirmation, rads, onion-grater (Control Port Filter Proxy), uwt, sdwdate, whonixcheck, whonix-ws-firewall, whonix-gw-firewall, Whonix

Jul 24 2018

Patrick reopened T503: have sane built-in defaults even if config files are non-existing as "Open".
Jul 24 2018, 5:35 AM · Whonix 15, tb-updater, tb-starter, open-link-confirmation, rads, onion-grater (Control Port Filter Proxy), uwt, sdwdate, whonixcheck, whonix-ws-firewall, whonix-gw-firewall, Whonix

Jun 20 2018

HulaHoop added a comment to T509: Consider nftables as a replacement for iptables.

nftables transition info:

Jun 20 2018, 3:03 PM · iptables, vpn-firewall, whonix-ws-firewall, whonix-gw-firewall, Whonix, refactoring, research

Jun 18 2018

Patrick updated the task description for T509: Consider nftables as a replacement for iptables.
Jun 18 2018, 4:23 PM · iptables, vpn-firewall, whonix-ws-firewall, whonix-gw-firewall, Whonix, refactoring, research

Mar 7 2018

Patrick closed T503: have sane built-in defaults even if config files are non-existing as Resolved.
Mar 7 2018, 1:22 AM · Whonix 15, tb-updater, tb-starter, open-link-confirmation, rads, onion-grater (Control Port Filter Proxy), uwt, sdwdate, whonixcheck, whonix-ws-firewall, whonix-gw-firewall, Whonix
Patrick changed the status of T486: Disable conntrack helper? from Review to Open.
Mar 7 2018, 12:51 AM · Whonix, whonix-ws-firewall, whonix-gw-firewall, enhancement, security

Dec 21 2017

Patrick changed the status of T533: iptables block network access until sdwdate succeeded from Review to Open.
In T533#13328, @Patrick wrote:

Note to self: try to disable and see if konsole and kwrite are still functional in timesync-fail-closed mode.

## TODO: temporary - https://phabricator.whonix.org/T533#10288
$iptables_cmd -A OUTPUT -m iprange --dst-range "127.0.0.1" -j ACCEPT

https://github.com/Whonix/whonix-ws-firewall/blob/master/usr/bin/whonix_firewall#L318

Dec 21 2017, 5:55 PM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate

Nov 21 2017

Patrick created T729: network hardening.
Nov 21 2017, 6:52 PM · whonix-ws-firewall, Whonix, whonix-gw-firewall

Nov 6 2017

Patrick updated the task description for T487: port to netfilter-persistent?.
Nov 6 2017, 12:38 AM · whonix-ws-firewall, Whonix, whonix-gw-firewall

May 26 2017

Patrick added a comment to T533: iptables block network access until sdwdate succeeded.

Note to self: try to disable and see if konsole and kwrite are still functional in timesync-fail-closed mode.

May 26 2017, 5:25 PM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate

Feb 16 2017

Patrick added a comment to T533: iptables block network access until sdwdate succeeded.

https://github.com/Whonix/whonixcheck/commit/5c8bf9be88f9951d2263b23aa82818935aa3f733

Feb 16 2017, 12:27 AM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate

Feb 5 2017

Patrick updated the task description for T509: Consider nftables as a replacement for iptables.
Feb 5 2017, 5:56 PM · iptables, vpn-firewall, whonix-ws-firewall, whonix-gw-firewall, Whonix, refactoring, research
Patrick updated the task description for T509: Consider nftables as a replacement for iptables.
Feb 5 2017, 5:45 PM · iptables, vpn-firewall, whonix-ws-firewall, whonix-gw-firewall, Whonix, refactoring, research
Patrick added a project to T509: Consider nftables as a replacement for iptables: iptables.
Feb 5 2017, 3:34 PM · iptables, vpn-firewall, whonix-ws-firewall, whonix-gw-firewall, Whonix, refactoring, research

Jan 31 2017

Patrick updated the task description for T509: Consider nftables as a replacement for iptables.
Jan 31 2017, 9:23 PM · iptables, vpn-firewall, whonix-ws-firewall, whonix-gw-firewall, Whonix, refactoring, research

Jan 30 2017

marmarek added a comment to T509: Consider nftables as a replacement for iptables.

Please note that Qubes 4.0 will use nftables (if available):
https://github.com/QubesOS/qubes-issues/issues/974#issuecomment-251825457

Jan 30 2017, 12:06 PM · iptables, vpn-firewall, whonix-ws-firewall, whonix-gw-firewall, Whonix, refactoring, research
Patrick updated the task description for T509: Consider nftables as a replacement for iptables.
Jan 30 2017, 11:05 AM · iptables, vpn-firewall, whonix-ws-firewall, whonix-gw-firewall, Whonix, refactoring, research
Patrick updated the task description for T509: Consider nftables as a replacement for iptables.
Jan 30 2017, 11:04 AM · iptables, vpn-firewall, whonix-ws-firewall, whonix-gw-firewall, Whonix, refactoring, research

Dec 25 2016

Patrick changed the status of T533: iptables block network access until sdwdate succeeded from Open to Review.
Dec 25 2016, 3:52 AM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate
Patrick added a comment to T533: iptables block network access until sdwdate succeeded.
In T533#11156, @Patrick wrote:
Dec 25 2016, 3:52 AM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate

Dec 24 2016

Patrick added a comment to T533: iptables block network access until sdwdate succeeded.

First I thought allowing incoming traffic on Whonix-Workstation in timesync-fail-closed mode would be okay, since outgoing traffic would be blocked. On a second thought, it would not be useful if a hidden service was reachable but the backend server could not reply (still blocked in timesync-fail-closed mode). So...

Dec 24 2016, 7:51 PM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate
Patrick added a comment to T533: iptables block network access until sdwdate succeeded.
Dec 24 2016, 12:27 AM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate

Dec 23 2016

Patrick added a comment to T533: iptables block network access until sdwdate succeeded.

That's a good idea.

Dec 23 2016, 11:31 PM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate
marmarek added a comment to T533: iptables block network access until sdwdate succeeded.

What about retrying qubes-whonix-torified-updates-proxy-check.service on
connection failure?

Dec 23 2016, 9:53 PM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate
Patrick added a comment to T533: iptables block network access until sdwdate succeeded.

The current workaround (to unbreak Whonix developers repository) allowing full outgoing access to 127.0.0.1 is as bad as not implementing this ticket. (One could run apt-get update which results in uwt apt-get update connecting to 127.0.0.1, where Tor would accept it.)

Dec 23 2016, 9:49 PM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate

Dec 19 2016

HulaHoop added a comment to T486: Disable conntrack helper?.

I think it's a wrong link.

Dec 19 2016, 2:12 AM · Whonix, whonix-ws-firewall, whonix-gw-firewall, enhancement, security
marmarek added a comment to T486: Disable conntrack helper?.
In T486#11057, @Patrick wrote:

I don't know what to think of this which warns of conntrack... https://lists.torproject.org/pipermail/tor-talk/2016-December/042717.html

Dec 19 2016, 1:38 AM · Whonix, whonix-ws-firewall, whonix-gw-firewall, enhancement, security

Dec 18 2016

Patrick added a comment to T486: Disable conntrack helper?.

I don't know what to think of this which warns of conntrack... https://lists.torproject.org/pipermail/tor-talk/2016-December/042717.html

Dec 18 2016, 11:17 PM · Whonix, whonix-ws-firewall, whonix-gw-firewall, enhancement, security

Dec 16 2016

Patrick changed the status of T533: iptables block network access until sdwdate succeeded from Review to Open.

Blocking outgoing connections to 127.0.0.1 in timesync-fail-closed mode creates massive issues. For example konsole starts but then is unresponsive (frozen) due to the blocked localhost tcp packages. (And since we'll stay with kwrite.) A solution needs to be found.

Dec 16 2016, 5:48 PM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate

Oct 13 2016

Patrick changed the status of T503: have sane built-in defaults even if config files are non-existing from Open to Review.
Oct 13 2016, 1:56 AM · Whonix 15, tb-updater, tb-starter, open-link-confirmation, rads, onion-grater (Control Port Filter Proxy), uwt, sdwdate, whonixcheck, whonix-ws-firewall, whonix-gw-firewall, Whonix
Patrick added a comment to T503: have sane built-in defaults even if config files are non-existing.

https://github.com/Whonix/rads/commit/168642875e30d202613d4e0274972ce5d18e102d

Oct 13 2016, 1:56 AM · Whonix 15, tb-updater, tb-starter, open-link-confirmation, rads, onion-grater (Control Port Filter Proxy), uwt, sdwdate, whonixcheck, whonix-ws-firewall, whonix-gw-firewall, Whonix
Patrick updated the task description for T503: have sane built-in defaults even if config files are non-existing.
Oct 13 2016, 1:56 AM · Whonix 15, tb-updater, tb-starter, open-link-confirmation, rads, onion-grater (Control Port Filter Proxy), uwt, sdwdate, whonixcheck, whonix-ws-firewall, whonix-gw-firewall, Whonix
Patrick updated the task description for T503: have sane built-in defaults even if config files are non-existing.
Oct 13 2016, 1:55 AM · Whonix 15, tb-updater, tb-starter, open-link-confirmation, rads, onion-grater (Control Port Filter Proxy), uwt, sdwdate, whonixcheck, whonix-ws-firewall, whonix-gw-firewall, Whonix
Patrick updated the task description for T503: have sane built-in defaults even if config files are non-existing.
Oct 13 2016, 1:53 AM · Whonix 15, tb-updater, tb-starter, open-link-confirmation, rads, onion-grater (Control Port Filter Proxy), uwt, sdwdate, whonixcheck, whonix-ws-firewall, whonix-gw-firewall, Whonix
Patrick updated the task description for T503: have sane built-in defaults even if config files are non-existing.
Oct 13 2016, 1:46 AM · Whonix 15, tb-updater, tb-starter, open-link-confirmation, rads, onion-grater (Control Port Filter Proxy), uwt, sdwdate, whonixcheck, whonix-ws-firewall, whonix-gw-firewall, Whonix
Patrick updated the task description for T503: have sane built-in defaults even if config files are non-existing.
Oct 13 2016, 1:33 AM · Whonix 15, tb-updater, tb-starter, open-link-confirmation, rads, onion-grater (Control Port Filter Proxy), uwt, sdwdate, whonixcheck, whonix-ws-firewall, whonix-gw-firewall, Whonix
Patrick updated the task description for T503: have sane built-in defaults even if config files are non-existing.
Oct 13 2016, 1:28 AM · Whonix 15, tb-updater, tb-starter, open-link-confirmation, rads, onion-grater (Control Port Filter Proxy), uwt, sdwdate, whonixcheck, whonix-ws-firewall, whonix-gw-firewall, Whonix
Patrick added a comment to T503: have sane built-in defaults even if config files are non-existing.

https://github.com/Whonix/whonix-gw-firewall/commit/f2dfc5c43cfe28a2b84b4543ee2f8eed07e7b4bd

Oct 13 2016, 12:40 AM · Whonix 15, tb-updater, tb-starter, open-link-confirmation, rads, onion-grater (Control Port Filter Proxy), uwt, sdwdate, whonixcheck, whonix-ws-firewall, whonix-gw-firewall, Whonix
Patrick updated the task description for T503: have sane built-in defaults even if config files are non-existing.
Oct 13 2016, 12:26 AM · Whonix 15, tb-updater, tb-starter, open-link-confirmation, rads, onion-grater (Control Port Filter Proxy), uwt, sdwdate, whonixcheck, whonix-ws-firewall, whonix-gw-firewall, Whonix

Oct 12 2016

Patrick removed a project from T487: port to netfilter-persistent?: Whonix 14.

netfilter-persistent still has too many issues. And I doubt it will be ready for Whonix 14. In meanwhile whonix-firewall.service will do. Maybe some day.

Oct 12 2016, 4:39 PM · whonix-ws-firewall, Whonix, whonix-gw-firewall
Patrick updated the task description for T487: port to netfilter-persistent?.
Oct 12 2016, 4:37 PM · whonix-ws-firewall, Whonix, whonix-gw-firewall

Oct 10 2016

Patrick changed the status of T486: Disable conntrack helper? from Open to Review.

https://github.com/Whonix/security-misc/commit/6cda8b1496795422d4c0bfcea2ea2bf29c32daa0

Oct 10 2016, 6:18 PM · Whonix, whonix-ws-firewall, whonix-gw-firewall, enhancement, security

Sep 16 2016

Patrick changed the status of T533: iptables block network access until sdwdate succeeded from Open to Review.
Sep 16 2016, 4:54 PM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate
marmarek added a comment to T533: iptables block network access until sdwdate succeeded.

I'd expect some more problems, but nothing serious. For example CUPS may
not work...

Sep 16 2016, 1:40 AM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate
Patrick added a comment to T533: iptables block network access until sdwdate succeeded.

Only kwrite does not work without localhost access. Strange.

Sep 16 2016, 1:36 AM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate
marmarek added a comment to T533: iptables block network access until sdwdate succeeded.

Network shouldn't be needed for GUI applications as long as DISPLAY
environment variable is correctly set. Make sure it's :0, and not
localhost:0.

Sep 16 2016, 1:16 AM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate
Patrick added a comment to T533: iptables block network access until sdwdate succeeded.

On Whonix-Gateway:

Sep 16 2016, 1:00 AM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate

Sep 9 2016

Patrick added a comment to T533: iptables block network access until sdwdate succeeded.
Sep 9 2016, 5:25 PM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate

Sep 7 2016

HulaHoop added a comment to T533: iptables block network access until sdwdate succeeded.

Up to you but I still think timesync-fail-open sounds more technically descriptive from a dev POV than using normal/regular. That isn't a problem because regular users should not even know about it.

Sep 7 2016, 6:07 PM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate

Sep 5 2016

Patrick added a comment to T533: iptables block network access until sdwdate succeeded.

restricted mode -> timesync-fail-closed mode

Sep 5 2016, 5:02 PM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate
Patrick updated the task description for T533: iptables block network access until sdwdate succeeded.
Sep 5 2016, 4:20 PM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate

Sep 4 2016

Patrick added a comment to T533: iptables block network access until sdwdate succeeded.

Added to bootclockrandomization package. Non-ideal, but less overhead (no additional package just for this) and more code can be reused.

Sep 4 2016, 10:10 PM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate
Patrick added a comment to T533: iptables block network access until sdwdate succeeded.

Yes.

Sep 4 2016, 7:18 PM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate

Sep 1 2016

HulaHoop added a comment to T533: iptables block network access until sdwdate succeeded.

OK. Do you suggest a simple sdwdate input box for them to put their current time in, then it applies the offset range we think is safe before setting the guest time?

Sep 1 2016, 7:22 PM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate

Aug 30 2016

Patrick added a comment to T533: iptables block network access until sdwdate succeeded.

It's a bit more difficult.

Aug 30 2016, 12:59 AM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate
HulaHoop added a comment to T533: iptables block network access until sdwdate succeeded.

Maybe instruct them to:

Aug 30 2016, 12:18 AM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate

Aug 29 2016

Patrick added a comment to T533: iptables block network access until sdwdate succeeded.
- separate whonixcheck help message when Tor bootstrap succeeded but timesync failed
- avoid too technical word "bootstrap"
- output
- comments
Aug 29 2016, 11:53 PM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate

Aug 28 2016

HulaHoop added a comment to T533: iptables block network access until sdwdate succeeded.

Instead of monitoring the clock for changes we can assume that an interrupted Tor connection was caused by suspend event that initiates syncing. Is the tearing down of stale circuits when waking up the machine detectable in Tor's log? Can this be checked via a controlport event?

Aug 28 2016, 3:56 AM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate

Aug 27 2016

HulaHoop added a comment to T533: iptables block network access until sdwdate succeeded.

clock jump detection would be useful independently from this ticket also.

Aug 27 2016, 8:31 PM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate

Aug 26 2016

Patrick added a comment to T533: iptables block network access until sdwdate succeeded.

WIP

Aug 26 2016, 11:02 PM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate
Patrick added a comment to T533: iptables block network access until sdwdate succeeded.

WIP

Aug 26 2016, 10:55 PM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate

Aug 25 2016

Patrick added a comment to T533: iptables block network access until sdwdate succeeded.

WIP

Aug 25 2016, 6:11 AM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate

Aug 24 2016

Patrick updated the task description for T533: iptables block network access until sdwdate succeeded.
Aug 24 2016, 9:52 PM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate
Patrick added a comment to T533: iptables block network access until sdwdate succeeded.

WIP

Aug 24 2016, 9:52 PM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate

Aug 23 2016

Patrick added a comment to T533: iptables block network access until sdwdate succeeded.

Thank you for participating in this one! I can really use some input here.

Aug 23 2016, 9:15 PM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate
HulaHoop added a comment to T533: iptables block network access until sdwdate succeeded.

I like the idea but how do you plan to tackle the case when a user resumes a guest from sleep?

Aug 23 2016, 8:38 PM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate
Patrick updated the task description for T533: iptables block network access until sdwdate succeeded.
Aug 23 2016, 6:58 PM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate
Patrick updated the task description for T533: iptables block network access until sdwdate succeeded.
Aug 23 2016, 6:57 PM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate

Aug 3 2016

Patrick created T533: iptables block network access until sdwdate succeeded.
Aug 3 2016, 5:56 PM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate

Jul 5 2016

Patrick updated the task description for T487: port to netfilter-persistent?.
Jul 5 2016, 9:25 PM · whonix-ws-firewall, Whonix, whonix-gw-firewall
Patrick added a comment to T487: port to netfilter-persistent?.

netfilter-persistent may not be ready for prime time.

Jul 5 2016, 9:23 PM · whonix-ws-firewall, Whonix, whonix-gw-firewall

Jun 3 2016

Patrick updated the task description for T486: Disable conntrack helper?.
Jun 3 2016, 11:11 PM · Whonix, whonix-ws-firewall, whonix-gw-firewall, enhancement, security
Patrick added a comment to T486: Disable conntrack helper?.

https://labs.riseup.net/code/issues/11391

Jun 3 2016, 11:11 PM · Whonix, whonix-ws-firewall, whonix-gw-firewall, enhancement, security

May 12 2016

Patrick added a comment to T509: Consider nftables as a replacement for iptables.

Yes, one day, nftables may be a good idea. Also, one day, IPv6 support may not be avoided if it is so widespread that Whonix would stand out without having IPv6 support.

May 12 2016, 12:30 AM · iptables, vpn-firewall, whonix-ws-firewall, whonix-gw-firewall, Whonix, refactoring, research
Patrick added projects to T509: Consider nftables as a replacement for iptables: whonix-gw-firewall, whonix-ws-firewall, vpn-firewall.
May 12 2016, 12:25 AM · iptables, vpn-firewall, whonix-ws-firewall, whonix-gw-firewall, Whonix, refactoring, research

May 4 2016

Patrick closed T158: whonix-ws-firewall needs a VPN_FIREWALL feature as Resolved.

This is now documented including a fix for T460.

May 4 2016, 6:56 PM · Whonix 13, Whonix, whonix-ws-firewall

Apr 30 2016

Patrick added a comment to T158: whonix-ws-firewall needs a VPN_FIREWALL feature.
Apr 20 03:50:45 host systemd-tmpfiles[281]: Two or more conflicting lines for /run/openvpn configured, ignoring.

But since user tunnel has access to /var/run/openvpn, it should be alright.

Apr 30 2016, 4:33 AM · Whonix 13, Whonix, whonix-ws-firewall

Apr 29 2016

Patrick closed T286: Only source configuration files that end with the `.conf` extension? as Resolved.
Apr 29 2016, 5:55 AM · tb-updater, tb-starter, open-link-confirmation, Whonix-Host, rads, Whonix 13, onion-grater (Control Port Filter Proxy), uwt, build, sdwdate, whonixcheck, whonix-ws-firewall, whonix-gw-firewall, Whonix
Patrick added a comment to T286: Only source configuration files that end with the `.conf` extension?.

https://github.com/Whonix/sdwdate/commit/0a0436b2de152ca13445c368fbd7cb95d339c75a

Apr 29 2016, 5:55 AM · tb-updater, tb-starter, open-link-confirmation, Whonix-Host, rads, Whonix 13, onion-grater (Control Port Filter Proxy), uwt, build, sdwdate, whonixcheck, whonix-ws-firewall, whonix-gw-firewall, Whonix
Patrick added a comment to T286: Only source configuration files that end with the `.conf` extension?.
In T286#8987, @Patrick wrote:
Apr 29 2016, 2:50 AM · tb-updater, tb-starter, open-link-confirmation, Whonix-Host, rads, Whonix 13, onion-grater (Control Port Filter Proxy), uwt, build, sdwdate, whonixcheck, whonix-ws-firewall, whonix-gw-firewall, Whonix

Apr 28 2016

Patrick added a comment to T503: have sane built-in defaults even if config files are non-existing.

https://github.com/Whonix/uwt/commit/651d2af8417fb0b7f77a88493a37935972ed444b

Apr 28 2016, 5:07 AM · Whonix 15, tb-updater, tb-starter, open-link-confirmation, rads, onion-grater (Control Port Filter Proxy), uwt, sdwdate, whonixcheck, whonix-ws-firewall, whonix-gw-firewall, Whonix
Patrick changed the status of T286: Only source configuration files that end with the `.conf` extension? from Open to Review.

https://github.com/Whonix/uwt/commit/651d2af8417fb0b7f77a88493a37935972ed444b

Apr 28 2016, 5:07 AM · tb-updater, tb-starter, open-link-confirmation, Whonix-Host, rads, Whonix 13, onion-grater (Control Port Filter Proxy), uwt, build, sdwdate, whonixcheck, whonix-ws-firewall, whonix-gw-firewall, Whonix