Page MenuHomePhabricator

whonix-ws-firewallProject
ActivePublic

Members (1)

Watchers

  • This project does not have any watchers.

Recent Activity

Fri, Dec 7

Patrick removed a project from T486: Disable conntrack helper?: Whonix 15.
Fri, Dec 7, 12:08 PM · Whonix, whonix-ws-firewall, whonix-gw-firewall, enhancement, security
Patrick removed a project from T729: network hardening: Whonix 15.
Fri, Dec 7, 12:08 PM · whonix-ws-firewall, Whonix, whonix-gw-firewall
Patrick removed a project from T533: iptables block network access until sdwdate succeeded: Whonix 15.
Fri, Dec 7, 12:04 PM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate
Patrick removed a project from T875: fix fail closed mechanism: Whonix 15.
Fri, Dec 7, 11:59 AM · whonix-ws-firewall, whonix-gw-firewall, Whonix

Mon, Dec 3

HulaHoop added a comment to T509: Consider nftables as a replacement for iptables.

https://researchut.com/post/migrating-firewall-to-nftables/

Mon, Dec 3, 6:02 PM · iptables, vpn-firewall, whonix-ws-firewall, whonix-gw-firewall, Whonix, refactoring, research

Sat, Nov 17

Patrick triaged T875: fix fail closed mechanism as Normal priority.
Sat, Nov 17, 6:12 AM · whonix-ws-firewall, whonix-gw-firewall, Whonix

Oct 1 2018

Patrick placed T503: have sane built-in defaults even if config files are non-existing up for grabs.
Oct 1 2018, 1:17 PM · Whonix 15, tb-updater, tb-starter, open-link-confirmation, rads, onion-grater (Control Port Filter Proxy), uwt, sdwdate, whonixcheck, whonix-ws-firewall, whonix-gw-firewall, Whonix

Jul 24 2018

Patrick reopened T503: have sane built-in defaults even if config files are non-existing as "Open".
Jul 24 2018, 5:35 AM · Whonix 15, tb-updater, tb-starter, open-link-confirmation, rads, onion-grater (Control Port Filter Proxy), uwt, sdwdate, whonixcheck, whonix-ws-firewall, whonix-gw-firewall, Whonix

Jun 20 2018

HulaHoop added a comment to T509: Consider nftables as a replacement for iptables.

nftables transition info:

Jun 20 2018, 3:03 PM · iptables, vpn-firewall, whonix-ws-firewall, whonix-gw-firewall, Whonix, refactoring, research

Jun 18 2018

Patrick updated the task description for T509: Consider nftables as a replacement for iptables.
Jun 18 2018, 4:23 PM · iptables, vpn-firewall, whonix-ws-firewall, whonix-gw-firewall, Whonix, refactoring, research

Mar 7 2018

Patrick closed T503: have sane built-in defaults even if config files are non-existing as Resolved.
Mar 7 2018, 1:22 AM · Whonix 15, tb-updater, tb-starter, open-link-confirmation, rads, onion-grater (Control Port Filter Proxy), uwt, sdwdate, whonixcheck, whonix-ws-firewall, whonix-gw-firewall, Whonix
Patrick changed the status of T486: Disable conntrack helper? from Review to Open.
Mar 7 2018, 12:51 AM · Whonix, whonix-ws-firewall, whonix-gw-firewall, enhancement, security

Dec 21 2017

Patrick changed the status of T533: iptables block network access until sdwdate succeeded from Review to Open.
In T533#13328, @Patrick wrote:

Note to self: try to disable and see if konsole and kwrite are still functional in timesync-fail-closed mode.

## TODO: temporary - https://phabricator.whonix.org/T533#10288
$iptables_cmd -A OUTPUT -m iprange --dst-range "127.0.0.1" -j ACCEPT

https://github.com/Whonix/whonix-ws-firewall/blob/master/usr/bin/whonix_firewall#L318

Dec 21 2017, 5:55 PM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate

Nov 21 2017

Patrick created T729: network hardening.
Nov 21 2017, 6:52 PM · whonix-ws-firewall, Whonix, whonix-gw-firewall

Nov 6 2017

Patrick updated the task description for T487: port to netfilter-persistent?.
Nov 6 2017, 12:38 AM · whonix-ws-firewall, whonix-gw-firewall, Whonix

May 26 2017

Patrick added a comment to T533: iptables block network access until sdwdate succeeded.

Note to self: try to disable and see if konsole and kwrite are still functional in timesync-fail-closed mode.

May 26 2017, 5:25 PM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate

Feb 16 2017

Patrick added a comment to T533: iptables block network access until sdwdate succeeded.

https://github.com/Whonix/whonixcheck/commit/5c8bf9be88f9951d2263b23aa82818935aa3f733

Feb 16 2017, 12:27 AM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate

Feb 5 2017

Patrick updated the task description for T509: Consider nftables as a replacement for iptables.
Feb 5 2017, 5:56 PM · iptables, vpn-firewall, whonix-ws-firewall, whonix-gw-firewall, Whonix, refactoring, research
Patrick updated the task description for T509: Consider nftables as a replacement for iptables.
Feb 5 2017, 5:45 PM · iptables, vpn-firewall, whonix-ws-firewall, whonix-gw-firewall, Whonix, refactoring, research
Patrick added a project to T509: Consider nftables as a replacement for iptables: iptables.
Feb 5 2017, 3:34 PM · iptables, vpn-firewall, whonix-ws-firewall, whonix-gw-firewall, Whonix, refactoring, research

Jan 31 2017

Patrick updated the task description for T509: Consider nftables as a replacement for iptables.
Jan 31 2017, 9:23 PM · iptables, vpn-firewall, whonix-ws-firewall, whonix-gw-firewall, Whonix, refactoring, research

Jan 30 2017

marmarek added a comment to T509: Consider nftables as a replacement for iptables.

Please note that Qubes 4.0 will use nftables (if available):
https://github.com/QubesOS/qubes-issues/issues/974#issuecomment-251825457

Jan 30 2017, 12:06 PM · iptables, vpn-firewall, whonix-ws-firewall, whonix-gw-firewall, Whonix, refactoring, research
Patrick updated the task description for T509: Consider nftables as a replacement for iptables.
Jan 30 2017, 11:05 AM · iptables, vpn-firewall, whonix-ws-firewall, whonix-gw-firewall, Whonix, refactoring, research
Patrick updated the task description for T509: Consider nftables as a replacement for iptables.
Jan 30 2017, 11:04 AM · iptables, vpn-firewall, whonix-ws-firewall, whonix-gw-firewall, Whonix, refactoring, research

Dec 25 2016

Patrick changed the status of T533: iptables block network access until sdwdate succeeded from Open to Review.
Dec 25 2016, 3:52 AM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate
Patrick added a comment to T533: iptables block network access until sdwdate succeeded.
In T533#11156, @Patrick wrote:
Dec 25 2016, 3:52 AM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate

Dec 24 2016

Patrick added a comment to T533: iptables block network access until sdwdate succeeded.

First I thought allowing incoming traffic on Whonix-Workstation in timesync-fail-closed mode would be okay, since outgoing traffic would be blocked. On a second thought, it would not be useful if a hidden service was reachable but the backend server could not reply (still blocked in timesync-fail-closed mode). So...

Dec 24 2016, 7:51 PM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate
Patrick added a comment to T533: iptables block network access until sdwdate succeeded.
Dec 24 2016, 12:27 AM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate

Dec 23 2016

Patrick added a comment to T533: iptables block network access until sdwdate succeeded.

That's a good idea.

Dec 23 2016, 11:31 PM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate
marmarek added a comment to T533: iptables block network access until sdwdate succeeded.

What about retrying qubes-whonix-torified-updates-proxy-check.service on
connection failure?

Dec 23 2016, 9:53 PM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate
Patrick added a comment to T533: iptables block network access until sdwdate succeeded.

The current workaround (to unbreak Whonix developers repository) allowing full outgoing access to 127.0.0.1 is as bad as not implementing this ticket. (One could run apt-get update which results in uwt apt-get update connecting to 127.0.0.1, where Tor would accept it.)

Dec 23 2016, 9:49 PM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate

Dec 19 2016

HulaHoop added a comment to T486: Disable conntrack helper?.

I think it's a wrong link.

Dec 19 2016, 2:12 AM · Whonix, whonix-ws-firewall, whonix-gw-firewall, enhancement, security
marmarek added a comment to T486: Disable conntrack helper?.
In T486#11057, @Patrick wrote:

I don't know what to think of this which warns of conntrack... https://lists.torproject.org/pipermail/tor-talk/2016-December/042717.html

Dec 19 2016, 1:38 AM · Whonix, whonix-ws-firewall, whonix-gw-firewall, enhancement, security

Dec 18 2016

Patrick added a comment to T486: Disable conntrack helper?.

I don't know what to think of this which warns of conntrack... https://lists.torproject.org/pipermail/tor-talk/2016-December/042717.html

Dec 18 2016, 11:17 PM · Whonix, whonix-ws-firewall, whonix-gw-firewall, enhancement, security

Dec 16 2016

Patrick changed the status of T533: iptables block network access until sdwdate succeeded from Review to Open.

Blocking outgoing connections to 127.0.0.1 in timesync-fail-closed mode creates massive issues. For example konsole starts but then is unresponsive (frozen) due to the blocked localhost tcp packages. (And since we'll stay with kwrite.) A solution needs to be found.

Dec 16 2016, 5:48 PM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate

Oct 13 2016

Patrick changed the status of T503: have sane built-in defaults even if config files are non-existing from Open to Review.
Oct 13 2016, 1:56 AM · Whonix 15, tb-updater, tb-starter, open-link-confirmation, rads, onion-grater (Control Port Filter Proxy), uwt, sdwdate, whonixcheck, whonix-ws-firewall, whonix-gw-firewall, Whonix
Patrick added a comment to T503: have sane built-in defaults even if config files are non-existing.

https://github.com/Whonix/rads/commit/168642875e30d202613d4e0274972ce5d18e102d

Oct 13 2016, 1:56 AM · Whonix 15, tb-updater, tb-starter, open-link-confirmation, rads, onion-grater (Control Port Filter Proxy), uwt, sdwdate, whonixcheck, whonix-ws-firewall, whonix-gw-firewall, Whonix
Patrick updated the task description for T503: have sane built-in defaults even if config files are non-existing.
Oct 13 2016, 1:56 AM · Whonix 15, tb-updater, tb-starter, open-link-confirmation, rads, onion-grater (Control Port Filter Proxy), uwt, sdwdate, whonixcheck, whonix-ws-firewall, whonix-gw-firewall, Whonix
Patrick updated the task description for T503: have sane built-in defaults even if config files are non-existing.
Oct 13 2016, 1:55 AM · Whonix 15, tb-updater, tb-starter, open-link-confirmation, rads, onion-grater (Control Port Filter Proxy), uwt, sdwdate, whonixcheck, whonix-ws-firewall, whonix-gw-firewall, Whonix
Patrick updated the task description for T503: have sane built-in defaults even if config files are non-existing.
Oct 13 2016, 1:53 AM · Whonix 15, tb-updater, tb-starter, open-link-confirmation, rads, onion-grater (Control Port Filter Proxy), uwt, sdwdate, whonixcheck, whonix-ws-firewall, whonix-gw-firewall, Whonix
Patrick updated the task description for T503: have sane built-in defaults even if config files are non-existing.
Oct 13 2016, 1:46 AM · Whonix 15, tb-updater, tb-starter, open-link-confirmation, rads, onion-grater (Control Port Filter Proxy), uwt, sdwdate, whonixcheck, whonix-ws-firewall, whonix-gw-firewall, Whonix
Patrick updated the task description for T503: have sane built-in defaults even if config files are non-existing.
Oct 13 2016, 1:33 AM · Whonix 15, tb-updater, tb-starter, open-link-confirmation, rads, onion-grater (Control Port Filter Proxy), uwt, sdwdate, whonixcheck, whonix-ws-firewall, whonix-gw-firewall, Whonix
Patrick updated the task description for T503: have sane built-in defaults even if config files are non-existing.
Oct 13 2016, 1:28 AM · Whonix 15, tb-updater, tb-starter, open-link-confirmation, rads, onion-grater (Control Port Filter Proxy), uwt, sdwdate, whonixcheck, whonix-ws-firewall, whonix-gw-firewall, Whonix
Patrick added a comment to T503: have sane built-in defaults even if config files are non-existing.

https://github.com/Whonix/whonix-gw-firewall/commit/f2dfc5c43cfe28a2b84b4543ee2f8eed07e7b4bd

Oct 13 2016, 12:40 AM · Whonix 15, tb-updater, tb-starter, open-link-confirmation, rads, onion-grater (Control Port Filter Proxy), uwt, sdwdate, whonixcheck, whonix-ws-firewall, whonix-gw-firewall, Whonix
Patrick updated the task description for T503: have sane built-in defaults even if config files are non-existing.
Oct 13 2016, 12:26 AM · Whonix 15, tb-updater, tb-starter, open-link-confirmation, rads, onion-grater (Control Port Filter Proxy), uwt, sdwdate, whonixcheck, whonix-ws-firewall, whonix-gw-firewall, Whonix

Oct 12 2016

Patrick removed a project from T487: port to netfilter-persistent?: Whonix 14.

netfilter-persistent still has too many issues. And I doubt it will be ready for Whonix 14. In meanwhile whonix-firewall.service will do. Maybe some day.

Oct 12 2016, 4:39 PM · whonix-ws-firewall, whonix-gw-firewall, Whonix
Patrick updated the task description for T487: port to netfilter-persistent?.
Oct 12 2016, 4:37 PM · whonix-ws-firewall, whonix-gw-firewall, Whonix

Oct 10 2016

Patrick changed the status of T486: Disable conntrack helper? from Open to Review.

https://github.com/Whonix/security-misc/commit/6cda8b1496795422d4c0bfcea2ea2bf29c32daa0

Oct 10 2016, 6:18 PM · Whonix, whonix-ws-firewall, whonix-gw-firewall, enhancement, security

Sep 16 2016

Patrick changed the status of T533: iptables block network access until sdwdate succeeded from Open to Review.
Sep 16 2016, 4:54 PM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate
marmarek added a comment to T533: iptables block network access until sdwdate succeeded.

I'd expect some more problems, but nothing serious. For example CUPS may
not work...

Sep 16 2016, 1:40 AM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate