Dec 3 2018
Jun 20 2018
nftables transition info:
Jun 18 2018
Feb 5 2017
Jan 31 2017
Jan 30 2017
Please note that Qubes 4.0 will use nftables (if available):
https://github.com/QubesOS/qubes-issues/issues/974#issuecomment-251825457
Jan 18 2017
Whonix's build script is no longer used to build Qubes-Whonix, so this is not required.
Dec 16 2016
Still acceleration required?
Dec 15 2016
Still acceleration required?
Dec 14 2016
Thanks. The outdated section linked to confused me but I got it now.
--install-to-root is deprecated. That's --target root for a few releases now. For physical isolation.
Looked it up: --install-to-root only relevant if building on the host
Did you try using an apt-cache yet as per build documentation, chapter apt cache?
Dec 13 2016
avoid downloading the same things twice
Aug 30 2016
Aug 25 2016
Jun 27 2016
timesync and apparmor-profile-timesync were deprecated so this task in invalid.
May 12 2016
Yes, one day, nftables may be a good idea. Also, one day, IPv6 support may not be avoided if it is so widespread that Whonix would stand out without having IPv6 support.
Apr 28 2016
The diff looks sane.
Whonix 12. iptables-save-deterministic
*mangle :PREROUTING ACCEPT [0,0] :INPUT ACCEPT [0,0] :FORWARD ACCEPT [0,0] :OUTPUT ACCEPT [0,0] :POSTROUTING ACCEPT [0,0] COMMIT *nat :PREROUTING ACCEPT [0,0] :INPUT ACCEPT [0,0] :OUTPUT ACCEPT [0,0] :POSTROUTING ACCEPT [0,0] :PR-QBS-SERVICES - [0,0] -A PREROUTING -j PR-QBS-SERVICES -A PREROUTING -i vif+ -p tcp -m tcp --dport 9052 -j REDIRECT --to-ports 9052 -A PREROUTING -i vif+ -p tcp -m tcp --dport 9050 -j REDIRECT --to-ports 9050 -A PREROUTING -i vif+ -p tcp -m tcp --dport 9100 -j REDIRECT --to-ports 9100 -A PREROUTING -i vif+ -p tcp -m tcp --dport 9101 -j REDIRECT --to-ports 9101 -A PREROUTING -i vif+ -p tcp -m tcp --dport 9102 -j REDIRECT --to-ports 9102 -A PREROUTING -i vif+ -p tcp -m tcp --dport 9103 -j REDIRECT --to-ports 9103 -A PREROUTING -i vif+ -p tcp -m tcp --dport 9104 -j REDIRECT --to-ports 9104 -A PREROUTING -i vif+ -p tcp -m tcp --dport 9105 -j REDIRECT --to-ports 9105 -A PREROUTING -i vif+ -p tcp -m tcp --dport 9106 -j REDIRECT --to-ports 9106 -A PREROUTING -i vif+ -p tcp -m tcp --dport 9107 -j REDIRECT --to-ports 9107 -A PREROUTING -i vif+ -p tcp -m tcp --dport 9108 -j REDIRECT --to-ports 9108 -A PREROUTING -i vif+ -p tcp -m tcp --dport 9109 -j REDIRECT --to-ports 9109 -A PREROUTING -i vif+ -p tcp -m tcp --dport 9110 -j REDIRECT --to-ports 9110 -A PREROUTING -i vif+ -p tcp -m tcp --dport 9111 -j REDIRECT --to-ports 9111 -A PREROUTING -i vif+ -p tcp -m tcp --dport 9112 -j REDIRECT --to-ports 9112 -A PREROUTING -i vif+ -p tcp -m tcp --dport 9113 -j REDIRECT --to-ports 9113 -A PREROUTING -i vif+ -p tcp -m tcp --dport 9114 -j REDIRECT --to-ports 9114 -A PREROUTING -i vif+ -p tcp -m tcp --dport 9115 -j REDIRECT --to-ports 9115 -A PREROUTING -i vif+ -p tcp -m tcp --dport 9116 -j REDIRECT --to-ports 9116 -A PREROUTING -i vif+ -p tcp -m tcp --dport 9117 -j REDIRECT --to-ports 9117 -A PREROUTING -i vif+ -p tcp -m tcp --dport 9118 -j REDIRECT --to-ports 9118 -A PREROUTING -i vif+ -p tcp -m tcp --dport 9119 -j REDIRECT --to-ports 9119 -A PREROUTING -i vif+ -p tcp -m tcp --dport 9120 -j REDIRECT --to-ports 9120 -A PREROUTING -i vif+ -p tcp -m tcp --dport 9121 -j REDIRECT --to-ports 9121 -A PREROUTING -i vif+ -p tcp -m tcp --dport 9122 -j REDIRECT --to-ports 9122 -A PREROUTING -i vif+ -p tcp -m tcp --dport 9123 -j REDIRECT --to-ports 9123 -A PREROUTING -i vif+ -p tcp -m tcp --dport 9124 -j REDIRECT --to-ports 9124 -A PREROUTING -i vif+ -p tcp -m tcp --dport 9125 -j REDIRECT --to-ports 9125 -A PREROUTING -i vif+ -p tcp -m tcp --dport 9150 -j REDIRECT --to-ports 9150 -A PREROUTING -i vif+ -p tcp -m tcp --dport 9152 -j REDIRECT --to-ports 9152 -A PREROUTING -i vif+ -p tcp -m tcp --dport 9153 -j REDIRECT --to-ports 9153 -A PREROUTING -i vif+ -p tcp -m tcp --dport 9154 -j REDIRECT --to-ports 9154 -A PREROUTING -i vif+ -p tcp -m tcp --dport 9155 -j REDIRECT --to-ports 9155 -A PREROUTING -i vif+ -p tcp -m tcp --dport 9156 -j REDIRECT --to-ports 9156 -A PREROUTING -i vif+ -p tcp -m tcp --dport 9157 -j REDIRECT --to-ports 9157 -A PREROUTING -i vif+ -p tcp -m tcp --dport 9158 -j REDIRECT --to-ports 9158 -A PREROUTING -i vif+ -p tcp -m tcp --dport 9159 -j REDIRECT --to-ports 9159 -A PREROUTING -i vif+ -p tcp -m tcp --dport 9160 -j REDIRECT --to-ports 9160 -A PREROUTING -i vif+ -p tcp -m tcp --dport 9161 -j REDIRECT --to-ports 9161 -A PREROUTING -i vif+ -p tcp -m tcp --dport 9162 -j REDIRECT --to-ports 9162 -A PREROUTING -i vif+ -p tcp -m tcp --dport 9163 -j REDIRECT --to-ports 9163 -A PREROUTING -i vif+ -p tcp -m tcp --dport 9164 -j REDIRECT --to-ports 9164 -A PREROUTING -i vif+ -p tcp -m tcp --dport 9165 -j REDIRECT --to-ports 9165 -A PREROUTING -i vif+ -p tcp -m tcp --dport 9166 -j REDIRECT --to-ports 9166 -A PREROUTING -i vif+ -p tcp -m tcp --dport 9167 -j REDIRECT --to-ports 9167 -A PREROUTING -i vif+ -p tcp -m tcp --dport 9168 -j REDIRECT --to-ports 9168 -A PREROUTING -i vif+ -p tcp -m tcp --dport 9169 -j REDIRECT --to-ports 9169 -A PREROUTING -i vif+ -p tcp -m tcp --dport 9170 -j REDIRECT --to-ports 9170 -A PREROUTING -i vif+ -p tcp -m tcp --dport 9171 -j REDIRECT --to-ports 9171 -A PREROUTING -i vif+ -p tcp -m tcp --dport 9172 -j REDIRECT --to-ports 9172 -A PREROUTING -i vif+ -p tcp -m tcp --dport 9173 -j REDIRECT --to-ports 9173 -A PREROUTING -i vif+ -p tcp -m tcp --dport 9174 -j REDIRECT --to-ports 9174 -A PREROUTING -i vif+ -p tcp -m tcp --dport 9175 -j REDIRECT --to-ports 9175 -A PREROUTING -i vif+ -p tcp -m tcp --dport 9176 -j REDIRECT --to-ports 9176 -A PREROUTING -i vif+ -p tcp -m tcp --dport 9177 -j REDIRECT --to-ports 9177 -A PREROUTING -i vif+ -p tcp -m tcp --dport 9178 -j REDIRECT --to-ports 9178 -A PREROUTING -i vif+ -p tcp -m tcp --dport 9179 -j REDIRECT --to-ports 9179 -A PREROUTING -i vif+ -p tcp -m tcp --dport 9180 -j REDIRECT --to-ports 9180 -A PREROUTING -i vif+ -p tcp -m tcp --dport 9181 -j REDIRECT --to-ports 9181 -A PREROUTING -i vif+ -p tcp -m tcp --dport 9182 -j REDIRECT --to-ports 9182 -A PREROUTING -i vif+ -p tcp -m tcp --dport 9183 -j REDIRECT --to-ports 9183 -A PREROUTING -i vif+ -p tcp -m tcp --dport 9184 -j REDIRECT --to-ports 9184 -A PREROUTING -i vif+ -p tcp -m tcp --dport 9185 -j REDIRECT --to-ports 9185 -A PREROUTING -i vif+ -p tcp -m tcp --dport 9186 -j REDIRECT --to-ports 9186 -A PREROUTING -i vif+ -p tcp -m tcp --dport 9187 -j REDIRECT --to-ports 9187 -A PREROUTING -i vif+ -p tcp -m tcp --dport 9188 -j REDIRECT --to-ports 9188 -A PREROUTING -i vif+ -p tcp -m tcp --dport 9189 -j REDIRECT --to-ports 9189 -A PREROUTING -i vif+ -p udp -m udp --dport 53 -j REDIRECT --to-ports 5300 -A PREROUTING -i vif+ -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040 -A OUTPUT -p udp -m owner --uid-owner 999 -m conntrack --ctstate NEW -j DNAT --to-destination 10.137.3.1:5300 -A OUTPUT -p tcp -m owner --uid-owner 999 -m conntrack --ctstate NEW -j DNAT --to-destination 10.137.3.1:9040 -A OUTPUT -m owner --uid-owner 107 -j RETURN -A OUTPUT -m owner --uid-owner 1001 -j RETURN -A OUTPUT -m iprange --dst-range 127.0.0.0-127.0.0.24 -j RETURN -A OUTPUT -m iprange --dst-range 10.137.0.0-10.137.255.255 -j RETURN -A PR-QBS-SERVICES -d 10.137.255.254/32 -i vif+ -p tcp -m tcp --dport 8082 -j REDIRECT COMMIT *filter :INPUT DROP [0,0] :FORWARD DROP [0,0] :OUTPUT DROP [0,0] -A INPUT -m conntrack --ctstate INVALID -j DROP -A INPUT -m state --state INVALID -j DROP -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK -j DROP -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP -A INPUT -f -j DROP -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP -A INPUT -i vif+ -p tcp -m tcp --dport 8082 -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state --state ESTABLISHED -j ACCEPT -A INPUT -p icmp -j DROP -A INPUT -i vif+ -p udp -m udp --dport 5300 -j ACCEPT -A INPUT -i vif+ -p tcp -m tcp --dport 9040 -j ACCEPT -A INPUT -i vif+ -p tcp -m tcp --dport 9052 -j ACCEPT -A INPUT -i vif+ -p tcp -m tcp --dport 9050 -j ACCEPT -A INPUT -i vif+ -p tcp -m tcp --dport 9100 -j ACCEPT -A INPUT -i vif+ -p tcp -m tcp --dport 9101 -j ACCEPT -A INPUT -i vif+ -p tcp -m tcp --dport 9102 -j ACCEPT -A INPUT -i vif+ -p tcp -m tcp --dport 9103 -j ACCEPT -A INPUT -i vif+ -p tcp -m tcp --dport 9104 -j ACCEPT -A INPUT -i vif+ -p tcp -m tcp --dport 9105 -j ACCEPT -A INPUT -i vif+ -p tcp -m tcp --dport 9106 -j ACCEPT -A INPUT -i vif+ -p tcp -m tcp --dport 9107 -j ACCEPT -A INPUT -i vif+ -p tcp -m tcp --dport 9108 -j ACCEPT -A INPUT -i vif+ -p tcp -m tcp --dport 9109 -j ACCEPT -A INPUT -i vif+ -p tcp -m tcp --dport 9110 -j ACCEPT -A INPUT -i vif+ -p tcp -m tcp --dport 9111 -j ACCEPT -A INPUT -i vif+ -p tcp -m tcp --dport 9112 -j ACCEPT -A INPUT -i vif+ -p tcp -m tcp --dport 9113 -j ACCEPT -A INPUT -i vif+ -p tcp -m tcp --dport 9114 -j ACCEPT -A INPUT -i vif+ -p tcp -m tcp --dport 9115 -j ACCEPT -A INPUT -i vif+ -p tcp -m tcp --dport 9116 -j ACCEPT -A INPUT -i vif+ -p tcp -m tcp --dport 9117 -j ACCEPT -A INPUT -i vif+ -p tcp -m tcp --dport 9118 -j ACCEPT -A INPUT -i vif+ -p tcp -m tcp --dport 9119 -j ACCEPT -A INPUT -i vif+ -p tcp -m tcp --dport 9120 -j ACCEPT -A INPUT -i vif+ -p tcp -m tcp --dport 9121 -j ACCEPT -A INPUT -i vif+ -p tcp -m tcp --dport 9122 -j ACCEPT -A INPUT -i vif+ -p tcp -m tcp --dport 9123 -j ACCEPT -A INPUT -i vif+ -p tcp -m tcp --dport 9124 -j ACCEPT -A INPUT -i vif+ -p tcp -m tcp --dport 9125 -j ACCEPT -A INPUT -i vif+ -p tcp -m tcp --dport 9150 -j ACCEPT -A INPUT -i vif+ -p tcp -m multiport --dports 9152:9159 -j ACCEPT -A INPUT -i vif+ -p tcp -m multiport --dports 9160:9169 -j ACCEPT -A INPUT -i vif+ -p tcp -m multiport --dports 9170:9179 -j ACCEPT -A INPUT -i vif+ -p tcp -m multiport --dports 9180:9189 -j ACCEPT -A INPUT -j DROP -A FORWARD -j REJECT --reject-with icmp-admin-prohibited -A OUTPUT -o vif+ -p tcp -m tcp --sport 8082 -j ACCEPT -A OUTPUT -m conntrack --ctstate INVALID -j REJECT --reject-with icmp-admin-prohibited -A OUTPUT -m state --state INVALID -j REJECT --reject-with icmp-admin-prohibited -A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK -j REJECT --reject-with icmp-admin-prohibited -A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j REJECT --reject-with icmp-admin-prohibited -A OUTPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j REJECT --reject-with icmp-admin-prohibited -A OUTPUT -f -j REJECT --reject-with icmp-admin-prohibited -A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j REJECT --reject-with icmp-admin-prohibited -A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j REJECT --reject-with icmp-admin-prohibited -A OUTPUT -m state --state ESTABLISHED -j ACCEPT -A OUTPUT -m iprange --dst-range 127.0.0.0-127.0.0.24 -j ACCEPT -A OUTPUT -m iprange --dst-range 10.137.0.0-10.137.255.255 -j ACCEPT -A OUTPUT -m owner --uid-owner 107 -j ACCEPT -A OUTPUT -m owner --uid-owner 1001 -j ACCEPT -A OUTPUT -j REJECT --reject-with icmp-admin-prohibited COMMIT
Apr 21 2016
Whonix 13. iptables-save-deterministic
Apr 20 2016
This is done. Further work being tracked in T498.
This is covered by T498.
Apr 15 2016
more robust handling of /etc/hostname
added install-from-local-repository script
Apr 8 2016
systemd-nspawn talked about as a drop in replacement for chroot in build environments:
- download of tor, tor-geoipdb, deb.torproject.org-keyring not possible (T472). If we have no networking during that stage... Which is on one hand a very good thing, so we do not depend on it.
current blockers:
We concluded earlier already we don't want to have a debian package hosting Tor Browser tarballs (tb-binary). (Mentioned in T417.) We might reconsider if not avoidable.
I yet have to actually try apt-get install whonix-... and see how it goes. Will work on this next.
Apr 7 2016
Great! This will allow major reduction of duplicated data on installation ISO (Debian base packages, Whonix gw/ws common packages). And also result in smaller Whonix templates (no build depends installed there).
As for the cleanup - that's fine - it can be done using salt management stack.
- Chroot scripts were reduced to a minimum.
- They are no longer relevant for installation of Whonix from repository using apt-get install whonix-gatewayetc.
- Non-Qubes-Whonix: chroot scripts are still relevant for building Non-Qubes-Whonix images using Whonix's build script. To my knowledge, there is no sane way to run the cleanup chroot script from within a Debian package maintainer script.
- Qubes-Whonix: chroot-scripts are mostly irrelevant. Mostly. When the whonix-gateway or whonix-workstation package gets installed into a Qubes Debian template - with the purpose of morphing it into Whonix - perhaps while running on top of the Qubes installer DVD - then the cleanup of the template would be up to the script doing that. It could do so by running /usr/lib/anon-dist/chroot-scripts-post.d/80_cleanup or otherwise.
merged chroot scripts from anon-shared-build-sanity-checks and anon-shared-build-remember-sources
check for nonfree packages during
There are only 4 chroot scripts left.
fixed logging version of the package as build version
cleanup, got rid of obsolete /usr/lib/anon-dist/chroot-scripts-pre.d/20_sanity_checks