Page MenuHomePhabricator

whonix-gw-firewallProject
ActivePublic

Members (1)

Watchers

  • This project does not have any watchers.
  • View All

Recent Activity

Dec 11 2019

Patrick edited Description on whonix-gw-firewall.
Dec 11 2019, 9:48 AM
marmarek added a comment to T509: Consider nftables / Berkeley Packet Filter (BPF) as a replacement for iptables.

It looks like bpfilter is in rather early stages, and it's few years until we'll see it in Debian.

Dec 11 2019, 3:35 AM · iptables, vpn-firewall, whonix-ws-firewall, whonix-gw-firewall, Whonix, refactoring, research
Patrick renamed T509: Consider nftables / Berkeley Packet Filter (BPF) as a replacement for iptables from Consider nftables as a replacement for iptables to Consider nftables / Berkeley Packet Filter (BPF) as a replacement for iptables.
Dec 11 2019, 2:11 AM · iptables, vpn-firewall, whonix-ws-firewall, whonix-gw-firewall, Whonix, refactoring, research
Patrick added a comment to T509: Consider nftables / Berkeley Packet Filter (BPF) as a replacement for iptables.

Or skip nftables and use Berkeley Packet Filter (BPF)?

Dec 11 2019, 2:10 AM · iptables, vpn-firewall, whonix-ws-firewall, whonix-gw-firewall, Whonix, refactoring, research
Patrick updated the task description for T509: Consider nftables / Berkeley Packet Filter (BPF) as a replacement for iptables.
Dec 11 2019, 2:09 AM · iptables, vpn-firewall, whonix-ws-firewall, whonix-gw-firewall, Whonix, refactoring, research

Oct 21 2019

Patrick added a comment to T509: Consider nftables / Berkeley Packet Filter (BPF) as a replacement for iptables.

NonaSuomy:

Added requested NFTables example from duclicsic #netfilter freenode.

Oct 21 2019, 7:33 AM · iptables, vpn-firewall, whonix-ws-firewall, whonix-gw-firewall, Whonix, refactoring, research

Oct 17 2019

HulaHoop added a comment to T509: Consider nftables / Berkeley Packet Filter (BPF) as a replacement for iptables.

Starting with Bullseye nftables will be the default:

Oct 17 2019, 7:29 PM · iptables, vpn-firewall, whonix-ws-firewall, whonix-gw-firewall, Whonix, refactoring, research

Jun 20 2019

madaidan added a comment to T875: fix fail closed mechanism.

I don't think anything Debian does would modify any iptables rules nor Whonix ships any code to disable the firewall. So "disables the firewall for a minute" is non-existing. Would be bad if that happened.

Jun 20 2019, 10:26 PM · whonix-ws-firewall, whonix-gw-firewall, Whonix

Jun 14 2019

Patrick added a comment to T875: fix fail closed mechanism.

Seems quite hacky. What's the root cause for failing?

Probably, when the package is getting updated, it disables the firewall for a minute so it can apply the updates and the fail closed mechanism kicks in.

Jun 14 2019, 1:21 PM · whonix-ws-firewall, whonix-gw-firewall, Whonix

May 12 2019

madaidan added a comment to T875: fix fail closed mechanism.

Seems quite hacky. What's the root cause for failing?

May 12 2019, 2:14 PM · whonix-ws-firewall, whonix-gw-firewall, Whonix
Patrick added a comment to T729: network hardening.

Could you please review this? @HulaHoop

May 12 2019, 12:56 PM · whonix-ws-firewall, Whonix, whonix-gw-firewall
Patrick added a comment to T875: fix fail closed mechanism.

Seems quite hacky. What's the root cause for failing?

May 12 2019, 12:55 PM · whonix-ws-firewall, whonix-gw-firewall, Whonix

May 11 2019

Patrick assigned T729: network hardening to madaidan.
May 11 2019, 1:12 PM · whonix-ws-firewall, Whonix, whonix-gw-firewall

May 10 2019

madaidan added a comment to T729: network hardening.

My pull request enables all of these except martian packet logging which I doubt would be useful on Whonix.

May 10 2019, 7:18 PM · whonix-ws-firewall, Whonix, whonix-gw-firewall
madaidan added a comment to T875: fix fail closed mechanism.

Maybe disable it just for package upgrades?

May 10 2019, 6:19 PM · whonix-ws-firewall, whonix-gw-firewall, Whonix

Apr 6 2019

Patrick closed T503: have sane built-in defaults even if config files are non-existing as Resolved.

https://github.com/Whonix/anon-ws-disable-stacked-tor/commit/128e2312bf58a5c1cea3eecd74d1fa0a1a194b51

Apr 6 2019, 5:17 PM · Whonix 15, tb-updater, tb-starter, open-link-confirmation, rads, onion-grater (Control Port Filter Proxy), uwt, sdwdate, whonixcheck, whonix-ws-firewall, whonix-gw-firewall, Whonix
Patrick updated the task description for T503: have sane built-in defaults even if config files are non-existing.
Apr 6 2019, 5:17 PM · Whonix 15, tb-updater, tb-starter, open-link-confirmation, rads, onion-grater (Control Port Filter Proxy), uwt, sdwdate, whonixcheck, whonix-ws-firewall, whonix-gw-firewall, Whonix

Feb 18 2019

Patrick updated the task description for T466: Qubes sys-whonix does not do its job as Qubes FirewallVM.
Feb 18 2019, 9:30 AM · iptables, whonix-gw-firewall, Whonix, Qubes

Dec 7 2018

Patrick removed a project from T486: Disable conntrack helper?: Whonix 15.
Dec 7 2018, 12:08 PM · Whonix, whonix-ws-firewall, whonix-gw-firewall, enhancement, security
Patrick removed a project from T729: network hardening: Whonix 15.
Dec 7 2018, 12:08 PM · whonix-ws-firewall, Whonix, whonix-gw-firewall
Patrick removed a project from T466: Qubes sys-whonix does not do its job as Qubes FirewallVM: Whonix 15.
Dec 7 2018, 12:04 PM · iptables, whonix-gw-firewall, Whonix, Qubes
Patrick removed a project from T533: iptables block network access until sdwdate succeeded: Whonix 15.
Dec 7 2018, 12:04 PM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate
Patrick removed a project from T875: fix fail closed mechanism: Whonix 15.
Dec 7 2018, 11:59 AM · whonix-ws-firewall, whonix-gw-firewall, Whonix

Dec 3 2018

HulaHoop added a comment to T509: Consider nftables / Berkeley Packet Filter (BPF) as a replacement for iptables.

https://researchut.com/post/migrating-firewall-to-nftables/

Dec 3 2018, 6:02 PM · iptables, vpn-firewall, whonix-ws-firewall, whonix-gw-firewall, Whonix, refactoring, research

Nov 17 2018

Patrick triaged T875: fix fail closed mechanism as Normal priority.
Nov 17 2018, 6:12 AM · whonix-ws-firewall, whonix-gw-firewall, Whonix

Oct 1 2018

Patrick placed T503: have sane built-in defaults even if config files are non-existing up for grabs.
Oct 1 2018, 1:17 PM · Whonix 15, tb-updater, tb-starter, open-link-confirmation, rads, onion-grater (Control Port Filter Proxy), uwt, sdwdate, whonixcheck, whonix-ws-firewall, whonix-gw-firewall, Whonix

Jul 24 2018

Patrick reopened T503: have sane built-in defaults even if config files are non-existing as "Open".
Jul 24 2018, 5:35 AM · Whonix 15, tb-updater, tb-starter, open-link-confirmation, rads, onion-grater (Control Port Filter Proxy), uwt, sdwdate, whonixcheck, whonix-ws-firewall, whonix-gw-firewall, Whonix

Jun 20 2018

HulaHoop added a comment to T509: Consider nftables / Berkeley Packet Filter (BPF) as a replacement for iptables.

nftables transition info:

Jun 20 2018, 3:03 PM · iptables, vpn-firewall, whonix-ws-firewall, whonix-gw-firewall, Whonix, refactoring, research

Jun 18 2018

Patrick updated the task description for T509: Consider nftables / Berkeley Packet Filter (BPF) as a replacement for iptables.
Jun 18 2018, 4:23 PM · iptables, vpn-firewall, whonix-ws-firewall, whonix-gw-firewall, Whonix, refactoring, research

Mar 7 2018

Patrick closed T462: Gateway PREROUTING rules for SOCKS ports may interfere with trans port traffic as Resolved.
Mar 7 2018, 2:02 AM · Whonix 14, Whonix, whonix-gw-firewall
Patrick closed T503: have sane built-in defaults even if config files are non-existing as Resolved.
Mar 7 2018, 1:22 AM · Whonix 15, tb-updater, tb-starter, open-link-confirmation, rads, onion-grater (Control Port Filter Proxy), uwt, sdwdate, whonixcheck, whonix-ws-firewall, whonix-gw-firewall, Whonix
Patrick changed the status of T486: Disable conntrack helper? from Review to Open.
Mar 7 2018, 12:51 AM · Whonix, whonix-ws-firewall, whonix-gw-firewall, enhancement, security

Dec 21 2017

Patrick changed the status of T533: iptables block network access until sdwdate succeeded from Review to Open.
In T533#13328, @Patrick wrote:

Note to self: try to disable and see if konsole and kwrite are still functional in timesync-fail-closed mode.

## TODO: temporary - https://phabricator.whonix.org/T533#10288
$iptables_cmd -A OUTPUT -m iprange --dst-range "127.0.0.1" -j ACCEPT

https://github.com/Whonix/whonix-ws-firewall/blob/master/usr/bin/whonix_firewall#L318

Dec 21 2017, 5:55 PM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate

Nov 21 2017

Patrick created T729: network hardening.
Nov 21 2017, 6:52 PM · whonix-ws-firewall, Whonix, whonix-gw-firewall

Nov 6 2017

Patrick updated the task description for T487: port to netfilter-persistent?.
Nov 6 2017, 12:38 AM · whonix-ws-firewall, Whonix, whonix-gw-firewall

May 26 2017

Patrick added a comment to T533: iptables block network access until sdwdate succeeded.

Note to self: try to disable and see if konsole and kwrite are still functional in timesync-fail-closed mode.

May 26 2017, 5:25 PM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate

Mar 14 2017

Patrick edited projects for T466: Qubes sys-whonix does not do its job as Qubes FirewallVM, added: Whonix 15; removed Whonix 14.
Mar 14 2017, 9:25 PM · iptables, whonix-gw-firewall, Whonix, Qubes

Feb 16 2017

Patrick added a comment to T533: iptables block network access until sdwdate succeeded.

https://github.com/Whonix/whonixcheck/commit/5c8bf9be88f9951d2263b23aa82818935aa3f733

Feb 16 2017, 12:27 AM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate

Feb 5 2017

Patrick updated the task description for T509: Consider nftables / Berkeley Packet Filter (BPF) as a replacement for iptables.
Feb 5 2017, 5:56 PM · iptables, vpn-firewall, whonix-ws-firewall, whonix-gw-firewall, Whonix, refactoring, research
Patrick updated the task description for T509: Consider nftables / Berkeley Packet Filter (BPF) as a replacement for iptables.
Feb 5 2017, 5:45 PM · iptables, vpn-firewall, whonix-ws-firewall, whonix-gw-firewall, Whonix, refactoring, research
Patrick added a project to T466: Qubes sys-whonix does not do its job as Qubes FirewallVM: iptables.
Feb 5 2017, 3:34 PM · iptables, whonix-gw-firewall, Whonix, Qubes
Patrick added a project to T509: Consider nftables / Berkeley Packet Filter (BPF) as a replacement for iptables: iptables.
Feb 5 2017, 3:34 PM · iptables, vpn-firewall, whonix-ws-firewall, whonix-gw-firewall, Whonix, refactoring, research

Jan 31 2017

Patrick updated the task description for T509: Consider nftables / Berkeley Packet Filter (BPF) as a replacement for iptables.
Jan 31 2017, 9:23 PM · iptables, vpn-firewall, whonix-ws-firewall, whonix-gw-firewall, Whonix, refactoring, research

Jan 30 2017

marmarek added a comment to T509: Consider nftables / Berkeley Packet Filter (BPF) as a replacement for iptables.

Please note that Qubes 4.0 will use nftables (if available):
https://github.com/QubesOS/qubes-issues/issues/974#issuecomment-251825457

Jan 30 2017, 12:06 PM · iptables, vpn-firewall, whonix-ws-firewall, whonix-gw-firewall, Whonix, refactoring, research
Patrick updated the task description for T509: Consider nftables / Berkeley Packet Filter (BPF) as a replacement for iptables.
Jan 30 2017, 11:05 AM · iptables, vpn-firewall, whonix-ws-firewall, whonix-gw-firewall, Whonix, refactoring, research
Patrick updated the task description for T509: Consider nftables / Berkeley Packet Filter (BPF) as a replacement for iptables.
Jan 30 2017, 11:04 AM · iptables, vpn-firewall, whonix-ws-firewall, whonix-gw-firewall, Whonix, refactoring, research

Dec 25 2016

Patrick changed the status of T533: iptables block network access until sdwdate succeeded from Open to Review.
Dec 25 2016, 3:52 AM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate
Patrick added a comment to T533: iptables block network access until sdwdate succeeded.
In T533#11156, @Patrick wrote:
Dec 25 2016, 3:52 AM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate

Dec 24 2016

Patrick added a comment to T533: iptables block network access until sdwdate succeeded.

First I thought allowing incoming traffic on Whonix-Workstation in timesync-fail-closed mode would be okay, since outgoing traffic would be blocked. On a second thought, it would not be useful if a hidden service was reachable but the backend server could not reply (still blocked in timesync-fail-closed mode). So...

Dec 24 2016, 7:51 PM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate
Patrick added a comment to T533: iptables block network access until sdwdate succeeded.
Dec 24 2016, 12:27 AM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate