Page MenuHomePhabricator

iptablesProject
ActivePublic

Members (1)

Watchers

  • This project does not have any watchers.

Recent Activity

Feb 18 2019

Patrick updated the task description for T466: Qubes sys-whonix does not do its job as Qubes FirewallVM.
Feb 18 2019, 9:30 AM · iptables, whonix-gw-firewall, Qubes, Whonix

Dec 7 2018

Patrick removed a project from T466: Qubes sys-whonix does not do its job as Qubes FirewallVM: Whonix 15.
Dec 7 2018, 12:04 PM · iptables, whonix-gw-firewall, Qubes, Whonix
Patrick removed a project from T533: iptables block network access until sdwdate succeeded: Whonix 15.
Dec 7 2018, 12:04 PM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate

Dec 3 2018

HulaHoop added a comment to T509: Consider nftables as a replacement for iptables.

https://researchut.com/post/migrating-firewall-to-nftables/

Dec 3 2018, 6:02 PM · iptables, vpn-firewall, whonix-ws-firewall, whonix-gw-firewall, Whonix, refactoring, research

Jun 20 2018

HulaHoop added a comment to T509: Consider nftables as a replacement for iptables.

nftables transition info:

Jun 20 2018, 3:03 PM · iptables, vpn-firewall, whonix-ws-firewall, whonix-gw-firewall, Whonix, refactoring, research

Jun 18 2018

Patrick updated the task description for T509: Consider nftables as a replacement for iptables.
Jun 18 2018, 4:23 PM · iptables, vpn-firewall, whonix-ws-firewall, whonix-gw-firewall, Whonix, refactoring, research

Dec 21 2017

Patrick changed the status of T533: iptables block network access until sdwdate succeeded from Review to Open.
In T533#13328, @Patrick wrote:

Note to self: try to disable and see if konsole and kwrite are still functional in timesync-fail-closed mode.

## TODO: temporary - https://phabricator.whonix.org/T533#10288
$iptables_cmd -A OUTPUT -m iprange --dst-range "127.0.0.1" -j ACCEPT

https://github.com/Whonix/whonix-ws-firewall/blob/master/usr/bin/whonix_firewall#L318

Dec 21 2017, 5:55 PM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate

May 26 2017

Patrick added a comment to T533: iptables block network access until sdwdate succeeded.

Note to self: try to disable and see if konsole and kwrite are still functional in timesync-fail-closed mode.

May 26 2017, 5:25 PM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate

Mar 14 2017

Patrick edited projects for T466: Qubes sys-whonix does not do its job as Qubes FirewallVM, added: Whonix 15; removed Whonix 14.
Mar 14 2017, 9:25 PM · iptables, whonix-gw-firewall, Qubes, Whonix

Feb 16 2017

Patrick added a comment to T533: iptables block network access until sdwdate succeeded.

https://github.com/Whonix/whonixcheck/commit/5c8bf9be88f9951d2263b23aa82818935aa3f733

Feb 16 2017, 12:27 AM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate

Feb 5 2017

Patrick updated the task description for T509: Consider nftables as a replacement for iptables.
Feb 5 2017, 5:56 PM · iptables, vpn-firewall, whonix-ws-firewall, whonix-gw-firewall, Whonix, refactoring, research
Patrick updated the task description for T509: Consider nftables as a replacement for iptables.
Feb 5 2017, 5:45 PM · iptables, vpn-firewall, whonix-ws-firewall, whonix-gw-firewall, Whonix, refactoring, research
Patrick added a project to T466: Qubes sys-whonix does not do its job as Qubes FirewallVM: iptables.
Feb 5 2017, 3:34 PM · iptables, whonix-gw-firewall, Qubes, Whonix
Patrick added a project to T509: Consider nftables as a replacement for iptables: iptables.
Feb 5 2017, 3:34 PM · iptables, vpn-firewall, whonix-ws-firewall, whonix-gw-firewall, Whonix, refactoring, research

Dec 25 2016

Patrick changed the status of T533: iptables block network access until sdwdate succeeded from Open to Review.
Dec 25 2016, 3:52 AM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate
Patrick added a comment to T533: iptables block network access until sdwdate succeeded.
In T533#11156, @Patrick wrote:
Dec 25 2016, 3:52 AM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate

Dec 24 2016

Patrick added a comment to T533: iptables block network access until sdwdate succeeded.

First I thought allowing incoming traffic on Whonix-Workstation in timesync-fail-closed mode would be okay, since outgoing traffic would be blocked. On a second thought, it would not be useful if a hidden service was reachable but the backend server could not reply (still blocked in timesync-fail-closed mode). So...

Dec 24 2016, 7:51 PM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate
Patrick added a comment to T533: iptables block network access until sdwdate succeeded.
Dec 24 2016, 12:27 AM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate

Dec 23 2016

Patrick added a comment to T533: iptables block network access until sdwdate succeeded.

That's a good idea.

Dec 23 2016, 11:31 PM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate
marmarek added a comment to T533: iptables block network access until sdwdate succeeded.

What about retrying qubes-whonix-torified-updates-proxy-check.service on
connection failure?

Dec 23 2016, 9:53 PM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate
Patrick added a comment to T533: iptables block network access until sdwdate succeeded.

The current workaround (to unbreak Whonix developers repository) allowing full outgoing access to 127.0.0.1 is as bad as not implementing this ticket. (One could run apt-get update which results in uwt apt-get update connecting to 127.0.0.1, where Tor would accept it.)

Dec 23 2016, 9:49 PM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate

Dec 16 2016

Patrick changed the status of T533: iptables block network access until sdwdate succeeded from Review to Open.

Blocking outgoing connections to 127.0.0.1 in timesync-fail-closed mode creates massive issues. For example konsole starts but then is unresponsive (frozen) due to the blocked localhost tcp packages. (And since we'll stay with kwrite.) A solution needs to be found.

Dec 16 2016, 5:48 PM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate

Sep 16 2016

Patrick changed the status of T533: iptables block network access until sdwdate succeeded from Open to Review.
Sep 16 2016, 4:54 PM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate
marmarek added a comment to T533: iptables block network access until sdwdate succeeded.

I'd expect some more problems, but nothing serious. For example CUPS may
not work...

Sep 16 2016, 1:40 AM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate
Patrick added a comment to T533: iptables block network access until sdwdate succeeded.

Only kwrite does not work without localhost access. Strange.

Sep 16 2016, 1:36 AM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate
marmarek added a comment to T533: iptables block network access until sdwdate succeeded.

Network shouldn't be needed for GUI applications as long as DISPLAY
environment variable is correctly set. Make sure it's :0, and not
localhost:0.

Sep 16 2016, 1:16 AM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate
Patrick added a comment to T533: iptables block network access until sdwdate succeeded.

On Whonix-Gateway:

Sep 16 2016, 1:00 AM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate

Sep 9 2016

Patrick added a comment to T533: iptables block network access until sdwdate succeeded.
Sep 9 2016, 5:25 PM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate

Sep 7 2016

HulaHoop added a comment to T533: iptables block network access until sdwdate succeeded.

Up to you but I still think timesync-fail-open sounds more technically descriptive from a dev POV than using normal/regular. That isn't a problem because regular users should not even know about it.

Sep 7 2016, 6:07 PM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate

Sep 5 2016

Patrick added a comment to T533: iptables block network access until sdwdate succeeded.

restricted mode -> timesync-fail-closed mode

Sep 5 2016, 5:02 PM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate
Patrick updated the task description for T533: iptables block network access until sdwdate succeeded.
Sep 5 2016, 4:20 PM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate

Sep 4 2016

Patrick added a comment to T533: iptables block network access until sdwdate succeeded.

Added to bootclockrandomization package. Non-ideal, but less overhead (no additional package just for this) and more code can be reused.

Sep 4 2016, 10:10 PM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate
Patrick added a comment to T533: iptables block network access until sdwdate succeeded.

Yes.

Sep 4 2016, 7:18 PM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate

Sep 1 2016

HulaHoop added a comment to T533: iptables block network access until sdwdate succeeded.

OK. Do you suggest a simple sdwdate input box for them to put their current time in, then it applies the offset range we think is safe before setting the guest time?

Sep 1 2016, 7:22 PM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate

Aug 30 2016

Patrick added a comment to T533: iptables block network access until sdwdate succeeded.

It's a bit more difficult.

Aug 30 2016, 12:59 AM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate
HulaHoop added a comment to T533: iptables block network access until sdwdate succeeded.

Maybe instruct them to:

Aug 30 2016, 12:18 AM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate

Aug 29 2016

Patrick added a comment to T533: iptables block network access until sdwdate succeeded.
- separate whonixcheck help message when Tor bootstrap succeeded but timesync failed
- avoid too technical word "bootstrap"
- output
- comments
Aug 29 2016, 11:53 PM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate

Aug 28 2016

HulaHoop added a comment to T533: iptables block network access until sdwdate succeeded.

Instead of monitoring the clock for changes we can assume that an interrupted Tor connection was caused by suspend event that initiates syncing. Is the tearing down of stale circuits when waking up the machine detectable in Tor's log? Can this be checked via a controlport event?

Aug 28 2016, 3:56 AM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate

Aug 27 2016

HulaHoop added a comment to T533: iptables block network access until sdwdate succeeded.

clock jump detection would be useful independently from this ticket also.

Aug 27 2016, 8:31 PM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate

Aug 26 2016

Patrick added a comment to T533: iptables block network access until sdwdate succeeded.

WIP

Aug 26 2016, 11:02 PM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate
Patrick added a comment to T533: iptables block network access until sdwdate succeeded.

WIP

Aug 26 2016, 10:55 PM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate

Aug 25 2016

Patrick added a comment to T533: iptables block network access until sdwdate succeeded.

WIP

Aug 25 2016, 6:11 AM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate

Aug 24 2016

Patrick updated the task description for T533: iptables block network access until sdwdate succeeded.
Aug 24 2016, 9:52 PM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate
Patrick added a comment to T533: iptables block network access until sdwdate succeeded.

WIP

Aug 24 2016, 9:52 PM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate

Aug 23 2016

Patrick added a comment to T533: iptables block network access until sdwdate succeeded.

Thank you for participating in this one! I can really use some input here.

Aug 23 2016, 9:15 PM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate
HulaHoop added a comment to T533: iptables block network access until sdwdate succeeded.

I like the idea but how do you plan to tackle the case when a user resumes a guest from sleep?

Aug 23 2016, 8:38 PM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate
Patrick updated the task description for T533: iptables block network access until sdwdate succeeded.
Aug 23 2016, 6:58 PM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate
Patrick updated the task description for T533: iptables block network access until sdwdate succeeded.
Aug 23 2016, 6:57 PM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate

Aug 3 2016

Patrick created T533: iptables block network access until sdwdate succeeded.
Aug 3 2016, 5:56 PM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate

Jul 11 2016

Patrick updated the task description for T502: prevent running /usr/lib/qubes/qubes-setup-dnat-to-ns in Qubes-Whonix to stop it from modifying firewall rules.
Jul 11 2016, 5:44 PM · security, iptables, Qubes, Whonix 13, Whonix