Merge pull request #1 from nyxnor/master

info messages to firewall
Whonix · Sep 26, 2022 · 67760a6 · 67760a6
2 parents 9da705e + 5ec6e1f
commit 67760a6
Show file tree

Hide file tree

Showing 3 changed files with 87 additions and 5 deletions.
diff --git a/usr/bin/whonix-gateway-firewall b/usr/bin/whonix-gateway-firewall
@@ -225,6 +225,7 @@ variables_defaults() {
    [ -n "$FLASHPROXY_PORT" ] || FLASHPROXY_PORT="9000"
 
    if [ ! "$WORKSTATION_ALLOW_SOCKSIFIED" = "1" ]; then
+      output_cmd "INFO: WORKSTATION_ALLOW_SOCKSIFIED='${WORKSTATION_ALLOW_SOCKSIFIED}', Socks Ports will not be opened"
       return 0
    fi
 
@@ -411,17 +412,24 @@ ipv4_input_rules() {
       fi
 
       local local_port_to_open
+      if [ "${info_enabled}" = "1" ]; then
+        output_cmd "INFO: Opening External TCP port(s): ${EXTERNAL_OPEN_PORTS:-"NONE"}"
+      fi
       for local_port_to_open in $EXTERNAL_OPEN_PORTS; do
          $iptables_cmd -A INPUT -i "$ext_if_item" -p tcp --dport "$local_port_to_open" -j ACCEPT
       done
 
       local local_udp_port_to_open
+      if [ "${info_enabled}" = "1" ]; then
+        output_cmd "INFO: Opening External UDP port(s): ${EXTERNAL_UDP_OPEN_PORTS:-"NONE"}"
+      fi
       for local_udp_port_to_open in $EXTERNAL_UDP_OPEN_PORTS; do
          $iptables_cmd -A INPUT -p udp --dport "$local_udp_port_to_open" -j ACCEPT
       done
 
       if [ "$EXTERNAL_OPEN_ALL" = "true" ]; then
-         $iptables_cmd -A INPUT -j ACCEPT
+        [ "${info_enabled}" = "1" ] && output_cmd "INFO: EXTERNAL_OPEN_ALL='true', opening all External ports"
+        $iptables_cmd -A INPUT -j ACCEPT
       fi
    done
 
@@ -480,13 +488,18 @@ ipv4_input_rules() {
 
       ## Allow socksified applications.
       if [ "$WORKSTATION_ALLOW_SOCKSIFIED" = "1" ]; then
+        if [ "${info_enabled}" = "1" ]; then
+          output_cmd "INFO: WORKSTATION_ALLOW_SOCKSIFIED='1', Socks Ports will be reacheable from the Workstation"
+          output_cmd "INFO: opening Internal TCP port(s): ${INTERNAL_OPEN_PORTS}"
+        fi
          for socks_port in $INTERNAL_OPEN_PORTS; do
             true "socks_port: $socks_port"
             $iptables_cmd -A INPUT -i "$int_tif_item" -p tcp --dport "$socks_port" -j ACCEPT
          done
 
          ## Accept ports 9152-9189 prepared for user custom applications.
          ## See /usr/share/tor/tor-service-defaults-torrc for more comments.
+         [ "${info_enabled}" = "1" ] && output_cmd "INFO: opening TCP port(s) 9152:9189 for user custom applications"
          $iptables_cmd -A INPUT -i "$int_tif_item" -p tcp --match multiport --dports 9152:9189 -j ACCEPT
       fi
    done
@@ -640,6 +653,9 @@ ipv4_output() {
    ## Prevent connections to Tor SocksPorts.
    ## https://phabricator.whonix.org/T533#11025
    if [ "$firewall_mode" = "timesync-fail-closed" ]; then
+      if [ "${info_enabled}" = "1" ]; then
+        output_cmd "INFO: not opening Internal TCP port(s): ${INTERNAL_OPEN_PORTS}, except 9108 for sdwdate, because firewall_mode=${firewall_mode}"
+      fi
       local socks_port_item
       for socks_port_item in $INTERNAL_OPEN_PORTS; do
          true "socks_port_item: $socks_port_item"
@@ -773,10 +789,37 @@ end() {
    exit 0
 }
 
+
+variable_list="
+WORKSTATION_TRANSPARENT_TCP
+WORKSTATION_TRANSPARENT_DNS
+WORKSTATION_ALLOW_SOCKSIFIED
+CONTROL_PORT_FILTER_PROXY_ENABLE
+GATEWAY_ALLOW_INCOMING_DIR_PORT
+GATEWAY_ALLOW_INCOMING_OR_PORT
+DIR_PORT
+OR_PORT
+GATEWAY_TRANSPARENT_TCP
+GATEWAY_TRANSPARENT_UDP
+GATEWAY_TRANSPARENT_DNS
+ALLOW_GATEWAY_ROOT_USER
+ALLOW_GATEWAY_USER_USER
+GATEWAY_ALLOW_INCOMING_SSH
+GATEWAY_ALLOW_INCOMING_ICMP
+"
+
+print_variables(){
+  for item in ${variable_list}; do
+    eval value='$'"${item}"
+    output_cmd "INFO: ${item}=${value}"
+  done
+}
+
 main() {
    init
    firewall_mode_detection
    variables_defaults
+   [ "${info_enabled}" = "1" ] && print_variables
    ipv4_defaults
    ipv4_preparation
    ipv4_drop_invalid_incoming_packages
@@ -793,5 +836,20 @@ main() {
    end
 }
 
+usage(){
+  echo "usage: ${0##*/} [options]
+    -i, --info           print informational messages
+    -h, --help           print this help message"
+}
+
+while true; do
+  case $1 in
+    -i|--info) info_enabled=1; shift 1;;
+    "") break;;
+    -h|--help|*) usage; exit 1;;
+  esac
+done
+
+
 source_config_folder
 main
diff --git a/usr/bin/whonix-workstation-firewall b/usr/bin/whonix-workstation-firewall
@@ -274,16 +274,24 @@ ipv4_input_rules() {
       true "firewall_mode is $firewall_mode, therefore not opening EXTERNAL_OPEN_PORTS."
    else
       local local_port_to_open
+      if [ "${info_enabled}" = "1" ]; then
+        output_cmd "INFO: Opening External TCP port(s): ${EXTERNAL_OPEN_PORTS:-"NONE"}"
+      fi
       for local_port_to_open in $EXTERNAL_OPEN_PORTS; do
          $iptables_cmd -A INPUT -p tcp --dport "$local_port_to_open" -j ACCEPT
       done
 
       local local_udp_port_to_open
+      if [ "${info_enabled}" = "1" ]; then
+        output_cmd "INFO: Opening External UDP port(s): ${EXTERNAL_UDP_OPEN_PORTS:-"NONE"}"
+      fi
       for local_udp_port_to_open in $EXTERNAL_UDP_OPEN_PORTS; do
+
          $iptables_cmd -A INPUT -p udp --dport "$local_udp_port_to_open" -j ACCEPT
       done
 
       if [ "$EXTERNAL_OPEN_ALL" = "true" ]; then
+         [ "${info_enabled}" = "1" ] && output_cmd "INFO: EXTERNAL_OPEN_ALL='true', all external ports will be opened"
          $iptables_cmd -A INPUT -j ACCEPT
       fi
    fi
@@ -365,6 +373,7 @@ ipv4_output() {
    ## https://phabricator.whonix.org/T533#11025
    if [ "$firewall_mode" = "timesync-fail-closed" ]; then
       local socks_port_item
+      [ "${info_enabled}" = "1" ] && output_cmd "INFO: not opening Internal TCP ports ${INTERNAL_OPEN_PORTS}, except 9108 for sdwdate, because firewall_mode=$firewall_mode"
       for socks_port_item in $INTERNAL_OPEN_PORTS; do
          true "socks_port_item: $socks_port_item"
          ## SOCKS_PORT_SDWDATE
@@ -634,5 +643,20 @@ main() {
    end
 }
 
+usage(){
+  echo "usage: ${0##*/} [options]
+    -i, --info           print informational messages
+    -h, --help           print this help message"
+}
+
+while test -n $1; do
+  case $1 in
+    -i|--info) info_enabled=1; shift 1;;
+    "") break;;
+    -h|--help|*) usage; exit 1;;
+  esac
+done
+
+
 source_config_folder
 main
diff --git a/usr/bin/whonix_firewall b/usr/bin/whonix_firewall
@@ -13,13 +13,13 @@
 set -e
 
 if [ -f "/run/qubes/this-is-templatevm" ]; then
-   /usr/bin/whonix-workstation-firewall
+   whonix-workstation-firewall "$@"
 elif [ -f "/usr/share/anon-gw-base-files/gateway" ]; then
-   /usr/bin/whonix-gateway-firewall
+   whonix-gateway-firewall "$@"
 elif [ -f "/usr/share/anon-ws-base-files/workstation" ]; then
-   /usr/bin/whonix-workstation-firewall
+   whonix-workstation-firewall "$@"
 elif [ -f "/usr/share/libvirt-dist/marker" ]; then
-   /usr/bin/whonix-host-firewall
+   whonix-host-firewall "$@"
 else
    echo "ERROR: Neither file /usr/share/anon-gw-base-files/gateway nor file /usr/share/anon-ws-base-files/workstation exists! If this is a Whonix-Gateway, package anon-gw-base-files needs to be installed. If this is a Whonix-Workstation, package anon-ws-base-files needs to be installed." >&2
    exit 1