Host Firewall
Donate
Host Firewall Settings and Testing
Upstream[edit]
Since Whonix is based on Kicksecure™, the user can follow these instructions 
Host Firewall
(links to the Kicksecure™ website)
Whonix specific[edit]
Filtering Ports[edit]
Introduction[edit]
From time to time a user asks which incoming/outgoing ports are required by Whonix-Gateway™. The answer is:
- Incoming:
none. - Outgoing:
all.
An alternative technique for controlling ports might be corridor (a Tor traffic whitelisting gateway), since it can act as a firewall. [1]
Incoming[edit]
Whonix-Gateway itself does not open any ports. Users are advised to close all ports on the host as outlined in the Host Firewall Essentials entry.
Outgoing[edit]
Warning: This procedure is not recommended. Port-based filtering of outgoing traffic is not applicable (as in useful) in the case of Whonix-Gateway.
Filtering outgoing ports is difficult, since Tor entry guards or bridges listen on a variety of different ports. Limiting ports Tor uses for outgoing traffic is still possible, but recommended against, since it reduces anonymity. The effect is fewer entry guards or bridges are made available to the user. If users wish to proceed despite the risk, follow the instructions below.
On Whonix-Gateway.
Open file /usr/local/etc/torrc.d/50_user.conf in a text editor
of your choice with sudoedit.
If you are using Qubes-Whonix™, complete the following steps.
Qubes App Launcher (blue/grey "Q") → Whonix-Gateway™ ProxyVM (commonly named sys-whonix) → Tor User Config (Torrc)
If you are using a graphical Whonix-Gateway, complete the following steps.
Start Menu → Applications → Settings → /usr/local/etc/torrc.d/50_user.conf
If you are using a terminal-only Whonix-Gateway, complete the following steps. sudoedit /usr/local/etc/torrc.d/50_user.conf
Add.
ReachableDirAddresses *:80 ReachableORAddresses *:443 ## maybe: FirewallPorts PORTS ## See Tor manual: https://2019.www.torproject.org/docs/tor-manual.html.en
Save.
Reload Tor.
After changing Tor configuration, Tor must be reloaded for changes to take effect.
Note: If Tor does not connect after completing all these steps, then a user mistake is the most likely explanation. Recheck /usr/local/etc/torrc.d/50_user.conf and repeat the steps outlined in the sections above. If Tor then connects successfully, all the necessary changes have been made.
If you are using Qubes-Whonix™, complete the following steps.
Qubes App Launcher (blue/grey "Q") → Whonix-Gateway™ ProxyVM (commonly named 'sys-whonix') → Reload Tor
If you are using a graphical Whonix-Gateway, complete the following steps.
Start Menu → Applications → Settings → Reload Tor
If you are using a terminal-only Whonix-Gateway, click
HERE for instructions.
Complete the following steps.
Reload Tor.
sudo service tor@default reload
Check Tor's daemon status.
sudo service tor@default status
It should include a a message saying.
Active: active (running) since ...
In case of issues, try the following debugging steps.
Check Tor's config.
sudo -u debian-tor tor --verify-config
The output should be similar to the following.
Sep 17 17:40:41.416 [notice] Read configuration file "/usr/local/etc/torrc.d/50_user.conf". Configuration was valid
This issue was also discussed in the old Whonix forum.
Footnotes[edit]
The most watertight privacy operating system in the world.
At
Whonix we value freedom and trust, supporting Open Source and Freedom Software
2012-
2024 ENCRYPTED SUPPORT LP
We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!