Whonix-Workstation Firewall
Donate
How-To: Open a Port in Whonix-Workstation Firewall, Restrict Outgoing IPs, Additional User Custom Firewall Rules and other settings for advanced users.
How-to: Open a Port in Whonix-Workstation Firewall[edit]
Open an Incoming Port[edit]
Whonix-Gateway → Whonix-Workstation → server running inside Whonix-Workstation
This allows for an incoming connection from Whonix-Gateway. This is useful for various purposes such as:
- A) making Onion Services reachable; and
- B) Whonix-Workstation to Whonix-Workstation Connections.
1. Modify Whonix-Workstation™ User Firewall Settings
Note: If no changes have yet been made to Whonix Firewall Settings, then the Whonix User Firewall Settings File /etc/whonix_firewall.d/50_user.conf appears empty (because it does not exist). This is expected.
If using Qubes-Whonix™, complete these steps.
In Whonix-Workstation App Qube. Make sure folder /usr/local/etc/whonix_firewall.d exists.
sudo mkdir -p /usr/local/etc/whonix_firewall.d
Qubes App Launcher (blue/grey "Q") → Whonix-Workstation App Qube (commonly called anon-whonix) → Whonix User Firewall Settings
If using a graphical Whonix-Workstation, complete these steps.
Start Menu → Applications → System → User Firewall Settings
If using a terminal-only Whonix-Workstation, complete these steps.
Open file /usr/local/etc/whonix_firewall.d/50_user.conf with root rights.
sudoedit /usr/local/etc/whonix_firewall.d/50_user.conf
For more help, press on Expand on the right.
Note: This is for informational purposes only! Do not edit /etc/whonix_firewall.d/30_whonix_workstation_default.conf.
The Whonix Global Firewall Settings File /etc/whonix_firewall.d/30_whonix_workstation_default.conf contains default settings and explanatory comments about their purpose. By default, the file is opened read-only and is not meant to be directly edited. Below, it is recommended to open the file without root rights. The file contains an explanatory comment on how to change firewall settings.
## Please use "/etc/whonix_firewall.d/50_user.conf" for your custom configuration,
## which will override the defaults found here. When {{project_name_short}} is updated, this
## file may be overwritten.
Also see: Whonix modular flexible .d style configuration folders.
To view the file, follow these instructions.
If using Qubes-Whonix, complete these steps.
Qubes App Launcher (blue/grey "Q") → Template: whonix-workstation-17 → Whonix Global Firewall Settings
If using a graphical Whonix-Workstation, complete these steps.
Start Menu → Applications → Settings → Global Firewall Settings
If using a terminal-only Whonix-Workstation, complete these steps.
In Whonix-Workstation, open the whonix_firewall configuration file in an editor. nano /etc/whonix_firewall.d/30_whonix_workstation_default.conf
2. Add.
Replace 80 with the actual port you would like to open.
EXTERNAL_OPEN_PORTS+=" 80 "
3. Save.
4. Reload Whonix-Workstation™ Firewall.
If you are using Qubes-Whonix™, complete the following steps.
Qubes App Launcher (blue/grey "Q") → Whonix-Workstation App Qube (commonly named anon-whonix) → Reload Whonix Firewall
If you are using a graphical Whonix-Workstation, complete the following steps.
Start Menu → Applications → System → Reload Whonix Firewall
If you are using a terminal-only Whonix-Workstation, run. sudo whonix_firewall
The procedure is complete.
Open an Outgoing Port[edit]
This allows for an outgoing connection to Whonix-Gateway.
Whonix-Workstation → Whonix-Gateway → Tor SocksPort
This might be useful for Tor additional SocksPorts.
Warning:
- This is usually not required!
- This is Unsupported! Always follow Firewall Refactoring steps before and after making configuration changes to check if the firewall rules actually changed.
1. Reminder on opening outgoing ports.
This is usually not required since Whonix-Workstation firewall does not restrict what ports on Whonix-Gateway are reachable if these are open in Whonix-Gateway firewall.
It is only useful to prevent connections to Tor SocksPorts in timesync-fail-closed firewall mode. [3]
2. Modify Whonix-Workstation™ User Firewall Settings
Note: If no changes have yet been made to Whonix Firewall Settings, then the Whonix User Firewall Settings File /etc/whonix_firewall.d/50_user.conf appears empty (because it does not exist). This is expected.
If using Qubes-Whonix™, complete these steps.
In Whonix-Workstation App Qube. Make sure folder /usr/local/etc/whonix_firewall.d exists.
sudo mkdir -p /usr/local/etc/whonix_firewall.d
Qubes App Launcher (blue/grey "Q") → Whonix-Workstation App Qube (commonly called anon-whonix) → Whonix User Firewall Settings
If using a graphical Whonix-Workstation, complete these steps.
Start Menu → Applications → System → User Firewall Settings
If using a terminal-only Whonix-Workstation, complete these steps.
Open file /usr/local/etc/whonix_firewall.d/50_user.conf with root rights.
sudoedit /usr/local/etc/whonix_firewall.d/50_user.conf
For more help, press on Expand on the right.
Note: This is for informational purposes only! Do not edit /etc/whonix_firewall.d/30_whonix_workstation_default.conf.
The Whonix Global Firewall Settings File /etc/whonix_firewall.d/30_whonix_workstation_default.conf contains default settings and explanatory comments about their purpose. By default, the file is opened read-only and is not meant to be directly edited. Below, it is recommended to open the file without root rights. The file contains an explanatory comment on how to change firewall settings.
## Please use "/etc/whonix_firewall.d/50_user.conf" for your custom configuration,
## which will override the defaults found here. When {{project_name_short}} is updated, this
## file may be overwritten.
Also see: Whonix modular flexible .d style configuration folders.
To view the file, follow these instructions.
If using Qubes-Whonix, complete these steps.
Qubes App Launcher (blue/grey "Q") → Template: whonix-workstation-17 → Whonix Global Firewall Settings
If using a graphical Whonix-Workstation, complete these steps.
Start Menu → Applications → Settings → Global Firewall Settings
If using a terminal-only Whonix-Workstation, complete these steps.
In Whonix-Workstation, open the whonix_firewall configuration file in an editor. nano /etc/whonix_firewall.d/30_whonix_workstation_default.conf
3. Add.
Note: Replace 9230 with the actual port you would like to open.
INTERNAL_OPEN_PORTS+=" 9230 "
4. Save.
5. Reload Whonix-Workstation™ Firewall.
If you are using Qubes-Whonix™, complete the following steps.
Qubes App Launcher (blue/grey "Q") → Whonix-Workstation App Qube (commonly named anon-whonix) → Reload Whonix Firewall
If you are using a graphical Whonix-Workstation, complete the following steps.
Start Menu → Applications → System → Reload Whonix Firewall
If you are using a terminal-only Whonix-Workstation, run. sudo whonix_firewall
The procedure is complete.
How-to: Open All Ports in Whonix-Workstation Firewall[edit]
Whonix-Gateway → Whonix-Workstation → server running inside Whonix-Workstation
This allows for an incoming connection from Whonix-Gateway. This is useful for various purposes such as making Onion Services reachable.
This procedure is usually not required and should be avoided.
1. Modify Whonix-Workstation™ User Firewall Settings
Note: If no changes have yet been made to Whonix Firewall Settings, then the Whonix User Firewall Settings File /etc/whonix_firewall.d/50_user.conf appears empty (because it does not exist). This is expected.
If using Qubes-Whonix™, complete these steps.
In Whonix-Workstation App Qube. Make sure folder /usr/local/etc/whonix_firewall.d exists.
sudo mkdir -p /usr/local/etc/whonix_firewall.d
Qubes App Launcher (blue/grey "Q") → Whonix-Workstation App Qube (commonly called anon-whonix) → Whonix User Firewall Settings
If using a graphical Whonix-Workstation, complete these steps.
Start Menu → Applications → System → User Firewall Settings
If using a terminal-only Whonix-Workstation, complete these steps.
Open file /usr/local/etc/whonix_firewall.d/50_user.conf with root rights.
sudoedit /usr/local/etc/whonix_firewall.d/50_user.conf
For more help, press on Expand on the right.
Note: This is for informational purposes only! Do not edit /etc/whonix_firewall.d/30_whonix_workstation_default.conf.
The Whonix Global Firewall Settings File /etc/whonix_firewall.d/30_whonix_workstation_default.conf contains default settings and explanatory comments about their purpose. By default, the file is opened read-only and is not meant to be directly edited. Below, it is recommended to open the file without root rights. The file contains an explanatory comment on how to change firewall settings.
## Please use "/etc/whonix_firewall.d/50_user.conf" for your custom configuration,
## which will override the defaults found here. When {{project_name_short}} is updated, this
## file may be overwritten.
Also see: Whonix modular flexible .d style configuration folders.
To view the file, follow these instructions.
If using Qubes-Whonix, complete these steps.
Qubes App Launcher (blue/grey "Q") → Template: whonix-workstation-17 → Whonix Global Firewall Settings
If using a graphical Whonix-Workstation, complete these steps.
Start Menu → Applications → Settings → Global Firewall Settings
If using a terminal-only Whonix-Workstation, complete these steps.
In Whonix-Workstation, open the whonix_firewall configuration file in an editor. nano /etc/whonix_firewall.d/30_whonix_workstation_default.conf
2. Add.
EXTERNAL_OPEN_ALL=true
Save.
3. Reload Whonix-Workstation™ Firewall.
If you are using Qubes-Whonix™, complete the following steps.
Qubes App Launcher (blue/grey "Q") → Whonix-Workstation App Qube (commonly named anon-whonix) → Reload Whonix Firewall
If you are using a graphical Whonix-Workstation, complete the following steps.
Start Menu → Applications → System → Reload Whonix Firewall
If you are using a terminal-only Whonix-Workstation, run. sudo whonix_firewall
The procedure is complete.
How-to: Restrict Outgoing IPs in Whonix-Workstation Firewall[edit]
This allows to restrict which outgoing IPs can be reached from inside Whonix-Workstation. This might be useful for single use-case VMs (specifically App Qubes).
Testers only!
1. Modify Whonix-Workstation™ User Firewall Settings
Note: If no changes have yet been made to Whonix Firewall Settings, then the Whonix User Firewall Settings File /etc/whonix_firewall.d/50_user.conf appears empty (because it does not exist). This is expected.
If using Qubes-Whonix™, complete these steps.
In Whonix-Workstation App Qube. Make sure folder /usr/local/etc/whonix_firewall.d exists.
sudo mkdir -p /usr/local/etc/whonix_firewall.d
Qubes App Launcher (blue/grey "Q") → Whonix-Workstation App Qube (commonly called anon-whonix) → Whonix User Firewall Settings
If using a graphical Whonix-Workstation, complete these steps.
Start Menu → Applications → System → User Firewall Settings
If using a terminal-only Whonix-Workstation, complete these steps.
Open file /usr/local/etc/whonix_firewall.d/50_user.conf with root rights.
sudoedit /usr/local/etc/whonix_firewall.d/50_user.conf
For more help, press on Expand on the right.
Note: This is for informational purposes only! Do not edit /etc/whonix_firewall.d/30_whonix_workstation_default.conf.
The Whonix Global Firewall Settings File /etc/whonix_firewall.d/30_whonix_workstation_default.conf contains default settings and explanatory comments about their purpose. By default, the file is opened read-only and is not meant to be directly edited. Below, it is recommended to open the file without root rights. The file contains an explanatory comment on how to change firewall settings.
## Please use "/etc/whonix_firewall.d/50_user.conf" for your custom configuration,
## which will override the defaults found here. When {{project_name_short}} is updated, this
## file may be overwritten.
Also see: Whonix modular flexible .d style configuration folders.
To view the file, follow these instructions.
If using Qubes-Whonix, complete these steps.
Qubes App Launcher (blue/grey "Q") → Template: whonix-workstation-17 → Whonix Global Firewall Settings
If using a graphical Whonix-Workstation, complete these steps.
Start Menu → Applications → Settings → Global Firewall Settings
If using a terminal-only Whonix-Workstation, complete these steps.
In Whonix-Workstation, open the whonix_firewall configuration file in an editor. nano /etc/whonix_firewall.d/30_whonix_workstation_default.conf
2. Add.
Note: Replace the example IP address 95.216.25.250 with an actual IP address. Multiple similar lines are supported.
outgoing_allow_ip_list+=" 95.216.25.250 "
Save.
3. Reboot or Reload Whonix-Workstation™ Firewall.
If you are using Qubes-Whonix™, complete the following steps.
Qubes App Launcher (blue/grey "Q") → Whonix-Workstation App Qube (commonly named anon-whonix) → Reload Whonix Firewall
If you are using a graphical Whonix-Workstation, complete the following steps.
Start Menu → Applications → System → Reload Whonix Firewall
If you are using a terminal-only Whonix-Workstation, run. sudo whonix_firewall
4. The procedure is complete.
To test:
curl.anondist-orig 95.216.25.250
Disable Whonix-Workstation Firewall Until Reboot[edit]
To disable until reboot.
Perform this action inside Whonix-Workstation -- see Firewall Unload.
Permanently Disable Whonix-Workstation Firewall[edit]
Perform this action inside Whonix-Workstation.
(In Qubes-Whonix: In Template.)
sudo systemctl mask whonix-firewall
No firewall rules will load after rebooting.
Additional User Custom Firewall Rules[edit]
Testers only! Unsupported!
This might be possible by using a systemd drop-in file.
1. Firewall refactoring. (Optional.)
It would be good to master the skill of Firewall Refactoring
first.
2. Open file /usr/bin/user-firewall-script in an editor with root rights.
Non-Qubes-Whonix™
This box uses sudoedit for better security.
sudoedit /usr/bin/user-firewall-script
Qubes-Whonix™
NOTES:
- When using Qubes-Whonix, this needs to be done inside the Template.
sudoedit /usr/bin/user-firewall-script
- After applying this change, shutdown the Template.
- All App Qubes based on the Template need to be restarted if they were already running.
- This is a general procedure required for Qubes and unspecific to Qubes-Whonix™.
Others and Alternatives
- This is just an example. Other tools could achieve the same goal.
- If this example does not work for you or if you are not using Whonix, please refer to this link.
sudoedit /usr/bin/user-firewall-script
3. Paste.
NOTE: Replace ## custom user firewall rules here with the actual user custom firewall rules.
#!/bin/bash ## custom user firewall rules here
4. Save and exit.
5. Make executable.
sudo chmod +x /usr/bin/user-firewall-script
6. Manually test the user firewall script.
sudo user-firewall-script
Once the user firewall script is functional, the user can proceed to automate loading of the user firewall script.
7. Create folder /lib/systemd/system/whonix-firewall.service.d.
sudo mkdir -p /lib/systemd/system/whonix-firewall.service.d
8. Open file /lib/systemd/system/whonix-firewall.service.d/50_user.conf in an editor with root rights.
Non-Qubes-Whonix™
This box uses sudoedit for better security.
sudoedit /lib/systemd/system/whonix-firewall.service.d/50_user.conf
Qubes-Whonix™
NOTES:
- When using Qubes-Whonix, this needs to be done inside the Template.
sudoedit /lib/systemd/system/whonix-firewall.service.d/50_user.conf
- After applying this change, shutdown the Template.
- All App Qubes based on the Template need to be restarted if they were already running.
- This is a general procedure required for Qubes and unspecific to Qubes-Whonix™.
Others and Alternatives
- This is just an example. Other tools could achieve the same goal.
- If this example does not work for you or if you are not using Whonix, please refer to this link.
sudoedit /lib/systemd/system/whonix-firewall.service.d/50_user.conf
9. Paste.
[Service] ExecStartPost=/usr/libexec/user-firewall-script
10. Save and exit.
11. Reload systemd.
sudo systemctl daemon-reload
12. Reload Whonix-Workstation™ Firewall.
If you are using Qubes-Whonix™, complete the following steps.
Qubes App Launcher (blue/grey "Q") → Whonix-Workstation App Qube (commonly named anon-whonix) → Reload Whonix Firewall
If you are using a graphical Whonix-Workstation, complete the following steps.
Start Menu → Applications → System → Reload Whonix Firewall
If you are using a terminal-only Whonix-Workstation, run. sudo whonix_firewall
13. Done.
Firewall rules should now be automatically load after reboot. It would be prudent to verify that using firewall refactoring method.
Ping[edit]
Ping commands should not work for external addresses from the Whonix-Workstation. The reason is ICMP traffic is not proxied and it is filtered by Whonix Firewall (/usr/bin/whonix_firewall) because Tor does not support UDP. For example, ping google.com will not work. To make ping functional, see the Allow UDP chapter.
SUID Disabler and Permission Hardener disables the SUID from ping to reduce the attack surface since it would not work anyway. [4] When that occurs, to re-enable ping functionality refer to the Whitelist Specific Capability Binaries chapter. This of course does not resolve the issue that Tor does not support UDP.
Forum discussion:
Ping operation permitted?
Allow UDP[edit]
The Tor software does not support UDP. The feature request UDP over Tor was created in 2013 and closed as won't fix by upstream, The Tor Project in 2018. It is therefore highly unlikely that the UDP over Tor feature will ever be implemented. This is unspecific to Whonix.
Tor provides a DnsPort but that is unrelated.
If UDP is urgently required in Whonix, a limited workaround is provided. For the most secure method, see Tunnel UDP over Tor.
To allow UDP, complete the following steps.
1. Modify Whonix-Workstation™ User Firewall Settings
Note: If no changes have yet been made to Whonix Firewall Settings, then the Whonix User Firewall Settings File /etc/whonix_firewall.d/50_user.conf appears empty (because it does not exist). This is expected.
If using Qubes-Whonix™, complete these steps.
In Whonix-Workstation App Qube. Make sure folder /usr/local/etc/whonix_firewall.d exists.
sudo mkdir -p /usr/local/etc/whonix_firewall.d
Qubes App Launcher (blue/grey "Q") → Whonix-Workstation App Qube (commonly called anon-whonix) → Whonix User Firewall Settings
If using a graphical Whonix-Workstation, complete these steps.
Start Menu → Applications → System → User Firewall Settings
If using a terminal-only Whonix-Workstation, complete these steps.
Open file /usr/local/etc/whonix_firewall.d/50_user.conf with root rights.
sudoedit /usr/local/etc/whonix_firewall.d/50_user.conf
For more help, press on Expand on the right.
Note: This is for informational purposes only! Do not edit /etc/whonix_firewall.d/30_whonix_workstation_default.conf.
The Whonix Global Firewall Settings File /etc/whonix_firewall.d/30_whonix_workstation_default.conf contains default settings and explanatory comments about their purpose. By default, the file is opened read-only and is not meant to be directly edited. Below, it is recommended to open the file without root rights. The file contains an explanatory comment on how to change firewall settings.
## Please use "/etc/whonix_firewall.d/50_user.conf" for your custom configuration,
## which will override the defaults found here. When {{project_name_short}} is updated, this
## file may be overwritten.
Also see: Whonix modular flexible .d style configuration folders.
To view the file, follow these instructions.
If using Qubes-Whonix, complete these steps.
Qubes App Launcher (blue/grey "Q") → Template: whonix-workstation-17 → Whonix Global Firewall Settings
If using a graphical Whonix-Workstation, complete these steps.
Start Menu → Applications → Settings → Global Firewall Settings
If using a terminal-only Whonix-Workstation, complete these steps.
In Whonix-Workstation, open the whonix_firewall configuration file in an editor. nano /etc/whonix_firewall.d/30_whonix_workstation_default.conf
2. Add. [5]
firewall_allow_udp=true
Save.
3. Reload Whonix-Workstation™ Firewall.
If you are using Qubes-Whonix™, complete the following steps.
Qubes App Launcher (blue/grey "Q") → Whonix-Workstation App Qube (commonly named anon-whonix) → Reload Whonix Firewall
If you are using a graphical Whonix-Workstation, complete the following steps.
Start Menu → Applications → System → Reload Whonix Firewall
If you are using a terminal-only Whonix-Workstation, run. sudo whonix_firewall
4. Done.
The procedure is complete. Whonix-Workstation firewall will now permit UDP.
5. Notice.
Allowing UDP in the firewall by itself is insufficient to make UDP work. See the infobox on top of this wiki chapter.
Allow DNS[edit]
Similar to above.
By following instructions to Allow UDP, there will be no restrictions for DNS.
Purpose[edit]
Refer to Whonix-Workstation firewall design notes for further information.
Per-Application Filtering[edit]
To the knowledge of the author, what on the Windows platforms is attempted by personal firewalls, is not very popular on Linux distributions.
This is unsupported. This might change in the very long-term future. There is no ETA (estimated time of arrival). Should this change, this wiki chapter will be updated.
TODO: OpenSnitch might be capable of doing this. It might be incompatible with Whonix-Workstation firewall. An open technical question is, if per-application firewalls are even worthwhile. Sandboxing solutions might actually be superior depending on the user's use case. See below for sandboxing.
Alternatives:
- Sandboxing: For example, AppArmor or other sandboxing frameworks for Linux with user-custom profiles might have this capability. This is out-of-scope for Whonix documentation. This process would be unspecific to Whonix.
- Disabling transparent proxying: By disabling transparent proxying, applications not explicitly configured to use a Tor SocksPort will be unable to connect. This is sufficient for preventing accidental connections. It is, however, not a sandbox that could contain malware. In this case, see Disable Transparent Proxying.
Forum discussion: https://forums.whonix.org/t/blocking-certain-applications-from-accessing-internet/20247
See Also[edit]
- Whonix-Workstation is Firewalled
- Open a Port(s) in Whonix and Port Forwarding
- Whonix Configuration Drop-In Folders
- https://github.com/Whonix/whonix-firewall/blob/master/etc/whonix_firewall.d/30_whonix_workstation_default.conf
- https://github.com/Whonix/whonix-firewall/blob/master/usr/bin/whonix-workstation-firewall
- https://github.com/Whonix/whonix-firewall
- Whonix-Gateway™ Firewall
- Redirect Whonix-Workstation Ports or Unix Domain Socket Files to Whonix-Gateway
Footnotes[edit]
- ↑
https://gitlab.com/Whonix/whonix-firewall/blob/master/man/whonix_firewall.8.ronn
- ↑ man whonix_firewall
- ↑
https://phabricator.whonix.org/T533#11025
- ↑
https://github.com/Whonix/anon-apps-config/blob/master/etc/permission-hardener.d/30_ping.conf
In the future, capability removal of
CAP_NET_RAWmight be useful if Debian starts doing that. - ↑
The most watertight privacy operating system in the world.
At
Whonix we value freedom and trust, supporting Open Source and Freedom Software
2012-
2024 ENCRYPTED SUPPORT LP
We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!