https://wiki.nftables.org/wiki-nftables/index.php/Atomic_rule_replacement

https://wiki.nftables.org/wiki-nftables/index.php/Scripting

Some progress.

In other words, iptabels is already symlinked to iptabels-nft anyhow. Therefore Whonix is already using iptabels-nft.

• https://unix.stackexchange.com/questions/722007/translate-firewall-rule-from-iptables-to-nftables
• https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables

In T509#20232, @ak88 wrote:

Any updates on this?

Any updates on this?

I am not sure sdwdate-gui would be a strong enough notification if networking was actually blocked if sdwdate did not succeed yet.

It looks like bpfilter is in rather early stages, and it's few years until we'll see it in Debian.

Or skip nftables and use Berkeley Packet Filter (BPF)?

NonaSuomy:

Added requested NFTables example from duclicsic #netfilter freenode.

Starting with Bullseye nftables will be the default:

https://researchut.com/post/migrating-firewall-to-nftables/

nftables transition info:

In T533#13328, @Patrick wrote:

Note to self: try to disable and see if konsole and kwrite are still functional in timesync-fail-closed mode.

## TODO: temporary - https://phabricator.whonix.org/T533#10288
$iptables_cmd -A OUTPUT -m iprange --dst-range "127.0.0.1" -j ACCEPT

https://github.com/Whonix/whonix-ws-firewall/blob/master/usr/bin/whonix_firewall#L318

Note to self: try to disable and see if konsole and kwrite are still functional in timesync-fail-closed mode.

https://github.com/Whonix/whonixcheck/commit/5c8bf9be88f9951d2263b23aa82818935aa3f733

In T533#11156, @Patrick wrote:

• add timesync-fail-closed considerations to ipv4_input_rules / https://github.com/Whonix/whonix-ws-firewall/blob/master/usr/bin/whonix_firewall#L196

First I thought allowing incoming traffic on Whonix-Workstation in timesync-fail-closed mode would be okay, since outgoing traffic would be blocked. On a second thought, it would not be useful if a hidden service was reachable but the backend server could not reply (still blocked in timesync-fail-closed mode). So...

• https://github.com/Whonix/whonix-gw-firewall/commit/00823a325d104e04d065fda8ae96992d1f90e184
• https://github.com/Whonix/whonix-ws-firewall/commit/df5183dcecd62dae9329571c5ab0e57916bd6eb4
• https://github.com/Whonix/qubes-whonix/commit/1c99edbbce1f375591f2e42aaf679ba7492b4dd8

That's a good idea.

What about retrying qubes-whonix-torified-updates-proxy-check.service on
connection failure?

The current workaround (to unbreak Whonix developers repository) allowing full outgoing access to 127.0.0.1 is as bad as not implementing this ticket. (One could run apt-get update which results in uwt apt-get update connecting to 127.0.0.1, where Tor would accept it.)

Blocking outgoing connections to 127.0.0.1 in timesync-fail-closed mode creates massive issues. For example konsole starts but then is unresponsive (frozen) due to the blocked localhost tcp packages. (And since we'll stay with kwrite.) A solution needs to be found.

I'd expect some more problems, but nothing serious. For example CUPS may
not work...

Only kwrite does not work without localhost access. Strange.

Network shouldn't be needed for GUI applications as long as DISPLAY
environment variable is correctly set. Make sure it's :0, and not
localhost:0.

On Whonix-Gateway:

• https://github.com/Whonix/whonix-ws-firewall/commit/9a02fb1cc429bc5450a671708d3dff0da2df257c
• https://github.com/Whonix/whonix-gw-firewall/commit/e55b6213a4d284368a4d3736590f516b712a109e

Up to you but I still think timesync-fail-open sounds more technically descriptive from a dev POV than using normal/regular. That isn't a problem because regular users should not even know about it.

restricted mode -> timesync-fail-closed mode

Added to bootclockrandomization package. Non-ideal, but less overhead (no additional package just for this) and more code can be reused.

Yes.

OK. Do you suggest a simple sdwdate input box for them to put their current time in, then it applies the offset range we think is safe before setting the guest time?

It's a bit more difficult.