Merge pull request #3 from IainKay/allow-incoming-related-state

add opt-in configuration for incoming Related connections through 'gateway_allow_incoming_related_state'
Whonix · May 15, 2023 · 810b740 · 810b740
2 parents b2ff0e3 + f604259
commit 810b740
Showing 1 changed file with 8 additions and 2 deletions.
diff --git a/usr/bin/whonix-gateway-firewall b/usr/bin/whonix-gateway-firewall
@@ -379,8 +379,14 @@ ipv4_input_rules() {
   ## Traffic on the loopback interface is accepted.
   $iptables_cmd -A INPUT -i lo -j ACCEPT
 
-  ## Established incoming connections are accepted.
-  $iptables_cmd -A INPUT -m state --state ESTABLISHED -j ACCEPT
+  ## Established incoming connections are always accepted.
+  ## Optionally, allow Related incoming connections when
+  ## GATEWAY_ALLOW_INCOMING_RELATED_STATE mode is enabled.
+  if [ "$GATEWAY_ALLOW_INCOMING_RELATED_STATE" = "1" ]; then
+    $iptables_cmd -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+  else
+    $iptables_cmd -A INPUT -m state --state ESTABLISHED -j ACCEPT
+  fi
 
   ## Drop all incoming ICMP traffic by default.
   ## All incoming connections are dropped by default anyway, but should a user