Change Details

Iptables block network access until #sdwdate succeeded. Reasons: * cover cases where sdwdate is slow or failing * catch race conditions where sdwdate is slower than a user starting a client program, server or daemon that already issued network traffic and leaked the time Previously this was implemented in form of the #timesync progress bar. But such a progress bar was bad for various reasons: * not enforced, easily ignored * does not stop automatically starting applications and/or the user from using the network * a popup which is bad for usability * two or more [when using multiple Whonix-Workstation's] on the same desktop when using Qubes [due to its nature of using seamless mode] A follow up task of T300. Implementation: * after boot #whonix-gw-firewall / #whonix-ws-firewall should block the network for everything but Tor and #sdwdate ** should create a `/var/run/whonix_firewall/first_run_current_boot.status` file ** when Whonix firewall gets restarted and `/var/run/whonix_firewall/first_run_current_boot.status` already exists, it should unblock the network and create a status file `/var/run/whonix_firewall/consecutive_run.status`. * after the first time synchronization succeeded, sdwdate should issue unlocking the network ** sdwdate could create a status file `/var/run/sdwdate/first_success.status`, then ** reload whonix_firewall * enabled by default * configuration options to disable all of this * all of this should safeguard allowing the user to allow network access even if one day a case is met where sdwdate is permanently failing * #sdwdate-gui should shows that status of network time synchronization

Iptables block network access until #sdwdate succeeded. Reasons: * cover cases where sdwdate is slow or failing * catch race conditions where sdwdate is slower than a user starting a client program, server or daemon that already issued network traffic and leaked the time Previously this was implemented in form of the #timesync progress bar. But such a progress bar was bad for various reasons: * not enforced, easily ignored * does not stop automatically starting applications and/or the user from using the network * a popup which is bad for usability * two or more [when using multiple Whonix-Workstation's] on the same desktop when using Qubes [due to its nature of using seamless mode] A follow up task of T300. Implementation: * after boot #whonix-gw-firewall / #whonix-ws-firewall should block the network for everything but Tor and #sdwdate ** should create a `/var/run/whonix_firewall/first_run_current_boot.status` file ** when Whonix firewall gets restarted and `/var/run/whonix_firewall/first_run_current_boot.status` already exists, it should unblock the network and create a status file `/var/run/whonix_firewall/consecutive_run.status`. * after the first time synchronization succeeded, sdwdate should issue unlocking the network ** sdwdate already creates a status file `/var/run/sdwdate/first_success`, then ** reload whonix_firewall * enabled by default * configuration options to disable all of this * all of this should safeguard allowing the user to allow network access even if one day a case is met where sdwdate is permanently failing * #sdwdate-gui should shows that status of network time synchronization

Iptables block network access until #sdwdate succeeded. Reasons: * cover cases where sdwdate is slow or failing * catch race conditions where sdwdate is slower than a user starting a client program, server or daemon that already issued network traffic and leaked the time Previously this was implemented in form of the #timesync progress bar. But such a progress bar was bad for various reasons: * not enforced, easily ignored * does not stop automatically starting applications and/or the user from using the network * a popup which is bad for usability * two or more [when using multiple Whonix-Workstation's] on the same desktop when using Qubes [due to its nature of using seamless mode] A follow up task of T300. Implementation: * after boot #whonix-gw-firewall / #whonix-ws-firewall should block the network for everything but Tor and #sdwdate ** should create a `/var/run/whonix_firewall/first_run_current_boot.status` file ** when Whonix firewall gets restarted and `/var/run/whonix_firewall/first_run_current_boot.status` already exists, it should unblock the network and create a status file `/var/run/whonix_firewall/consecutive_run.status`. * after the first time synchronization succeeded, sdwdate should issue unlocking the network ** sdwdate couldalready creates a status file `/var/run/sdwdate/first_success.status`ss`, then ** reload whonix_firewall * enabled by default * configuration options to disable all of this * all of this should safeguard allowing the user to allow network access even if one day a case is met where sdwdate is permanently failing * #sdwdate-gui should shows that status of network time synchronization