From 6e0dd7bed6138f2121938399b6d30bc9f2016ce1 Mon Sep 17 00:00:00 2001 From: nyxnor Date: Mon, 26 Sep 2022 14:28:23 +0000 Subject: [PATCH 1/6] make the main script pass arguments to child also make the script be called by path, so easier to test by placing script at /usr/local/bin --- usr/bin/whonix_firewall | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/usr/bin/whonix_firewall b/usr/bin/whonix_firewall index a993acf..1371ea3 100755 --- a/usr/bin/whonix_firewall +++ b/usr/bin/whonix_firewall @@ -13,13 +13,13 @@ set -e if [ -f "/run/qubes/this-is-templatevm" ]; then - /usr/bin/whonix-workstation-firewall + whonix-workstation-firewall $@ elif [ -f "/usr/share/anon-gw-base-files/gateway" ]; then - /usr/bin/whonix-gateway-firewall + whonix-gateway-firewall $@ elif [ -f "/usr/share/anon-ws-base-files/workstation" ]; then - /usr/bin/whonix-workstation-firewall + whonix-workstation-firewall $@ elif [ -f "/usr/share/libvirt-dist/marker" ]; then - /usr/bin/whonix-host-firewall + whonix-host-firewall $@ else echo "ERROR: Neither file /usr/share/anon-gw-base-files/gateway nor file /usr/share/anon-ws-base-files/workstation exists! If this is a Whonix-Gateway, package anon-gw-base-files needs to be installed. If this is a Whonix-Workstation, package anon-ws-base-files needs to be installed." >&2 exit 1 From 950cdaf1a721aa3e5230ab83d1fe678b84a64a56 Mon Sep 17 00:00:00 2001 From: nyxnor Date: Mon, 26 Sep 2022 14:29:00 +0000 Subject: [PATCH 2/6] print informational messages https://forums.whonix.org/t/print-ports-opened-in-the-firewall/15469 --- usr/bin/whonix-gateway-firewall | 62 ++++++++++++++++++++++++++++- usr/bin/whonix-workstation-firewall | 24 +++++++++++ 2 files changed, 85 insertions(+), 1 deletion(-) diff --git a/usr/bin/whonix-gateway-firewall b/usr/bin/whonix-gateway-firewall index 6a08ddc..c2e3ee2 100755 --- a/usr/bin/whonix-gateway-firewall +++ b/usr/bin/whonix-gateway-firewall @@ -225,6 +225,9 @@ variables_defaults() { [ -n "$FLASHPROXY_PORT" ] || FLASHPROXY_PORT="9000" if [ ! "$WORKSTATION_ALLOW_SOCKSIFIED" = "1" ]; then + if [ "${info_enabled}" = "1" ]; then + output_cmd "INFO: WORKSTATION_ALLOW_SOCKSIFIED='${WORKSTATION_ALLOW_SOCKSIFIED}', Socks Ports will not be opened" + fi return 0 fi @@ -411,17 +414,24 @@ ipv4_input_rules() { fi local local_port_to_open + if test -n "${EXTERNAL_OPEN_PORTS}" && [ "${info_enabled}" = "1" ]; then + output_cmd "INFO: Opening External TCP port(s): ${EXTERNAL_OPEN_PORTS}" + fi for local_port_to_open in $EXTERNAL_OPEN_PORTS; do $iptables_cmd -A INPUT -i "$ext_if_item" -p tcp --dport "$local_port_to_open" -j ACCEPT done local local_udp_port_to_open + if test -n "${EXTERNAL_UDP_OPEN_PORTS}" && [ "${info_enabled}" = "1" ]; then + output_cmd "INFO: Opening External UDP port(s): ${EXTERNAL_UDP_OPEN_PORTS}" + fi for local_udp_port_to_open in $EXTERNAL_UDP_OPEN_PORTS; do $iptables_cmd -A INPUT -p udp --dport "$local_udp_port_to_open" -j ACCEPT done if [ "$EXTERNAL_OPEN_ALL" = "true" ]; then - $iptables_cmd -A INPUT -j ACCEPT + [ "${info_enabled}" = "1" ] && output_cmd "INFO: EXTERNAL_OPEN_ALL='true', opening all External ports" + $iptables_cmd -A INPUT -j ACCEPT fi done @@ -480,6 +490,10 @@ ipv4_input_rules() { ## Allow socksified applications. if [ "$WORKSTATION_ALLOW_SOCKSIFIED" = "1" ]; then + if [ "${info_enabled}" = "1" ]; then + output_cmd "INFO: WORKSTATION_ALLOW_SOCKSIFIED='1', Socks Ports will be reacheable from the Workstation" + output_cmd "INFO: opening Internal TCP port(s): ${INTERNAL_OPEN_PORTS}" + fi for socks_port in $INTERNAL_OPEN_PORTS; do true "socks_port: $socks_port" $iptables_cmd -A INPUT -i "$int_tif_item" -p tcp --dport "$socks_port" -j ACCEPT @@ -487,6 +501,7 @@ ipv4_input_rules() { ## Accept ports 9152-9189 prepared for user custom applications. ## See /usr/share/tor/tor-service-defaults-torrc for more comments. + [ "${info_enabled}" = "1" ] && output_cmd "INFO: opening TCP port(s) 9152:9189 for user custom applications" $iptables_cmd -A INPUT -i "$int_tif_item" -p tcp --match multiport --dports 9152:9189 -j ACCEPT fi done @@ -640,6 +655,9 @@ ipv4_output() { ## Prevent connections to Tor SocksPorts. ## https://phabricator.whonix.org/T533#11025 if [ "$firewall_mode" = "timesync-fail-closed" ]; then + if [ "${info_enabled}" = "1" ]; then + output_cmd "INFO: firewall_mode=${firewall_mode}, closing Internal TCP port(s): ${INTERNAL_OPEN_PORTS}, except 9108 for sdwdate" + fi local socks_port_item for socks_port_item in $INTERNAL_OPEN_PORTS; do true "socks_port_item: $socks_port_item" @@ -773,10 +791,37 @@ end() { exit 0 } + +variable_list=" +WORKSTATION_TRANSPARENT_TCP +WORKSTATION_TRANSPARENT_DNS +WORKSTATION_ALLOW_SOCKSIFIED +CONTROL_PORT_FILTER_PROXY_ENABLE +GATEWAY_ALLOW_INCOMING_DIR_PORT +GATEWAY_ALLOW_INCOMING_OR_PORT +DIR_PORT +OR_PORT +GATEWAY_TRANSPARENT_TCP +GATEWAY_TRANSPARENT_UDP +GATEWAY_TRANSPARENT_DNS +ALLOW_GATEWAY_ROOT_USER +ALLOW_GATEWAY_USER_USER +GATEWAY_ALLOW_INCOMING_SSH +GATEWAY_ALLOW_INCOMING_ICMP +" + +print_variables(){ + for item in ${variable_list}; do + eval value='$'"${item}" + output_cmd "INFO: ${item}=${value}" + done +} + main() { init firewall_mode_detection variables_defaults + [ "${info_enabled}" = "1" ] && print_variables ipv4_defaults ipv4_preparation ipv4_drop_invalid_incoming_packages @@ -793,5 +838,20 @@ main() { end } +usage(){ + echo "usage: ${0##*/} [options] + -i, --info print informational messages + -h, --help print this help message" +} + +while true; do + case $1 in + -i|--info) info_enabled=1; shift 1;; + "") break;; + -h|--help|*) usage; exit 1;; + esac +done + + source_config_folder main diff --git a/usr/bin/whonix-workstation-firewall b/usr/bin/whonix-workstation-firewall index b230bd1..b3b8a00 100755 --- a/usr/bin/whonix-workstation-firewall +++ b/usr/bin/whonix-workstation-firewall @@ -274,16 +274,24 @@ ipv4_input_rules() { true "firewall_mode is $firewall_mode, therefore not opening EXTERNAL_OPEN_PORTS." else local local_port_to_open + if test -n "${EXTERNAL_OPEN_PORTS}" && [ "${info_enabled}" = "1" ]; then + output_cmd "INFO: Opening External TCP port(s): ${EXTERNAL_OPEN_PORTS}" + fi for local_port_to_open in $EXTERNAL_OPEN_PORTS; do $iptables_cmd -A INPUT -p tcp --dport "$local_port_to_open" -j ACCEPT done local local_udp_port_to_open + if test -n "${EXTERNAL_UDP_OPEN_PORTS}" && [ "${info_enabled}" = "1" ]; then + output_cmd "INFO: Opening External UDP port(s): ${EXTERNAL_UDP_OPEN_PORTS}" + fi for local_udp_port_to_open in $EXTERNAL_UDP_OPEN_PORTS; do + $iptables_cmd -A INPUT -p udp --dport "$local_udp_port_to_open" -j ACCEPT done if [ "$EXTERNAL_OPEN_ALL" = "true" ]; then + [ "${info_enabled}" = "1" ] && output_cmd "INFO: EXTERNAL_OPEN_ALL='true', all external ports will be opened" $iptables_cmd -A INPUT -j ACCEPT fi fi @@ -365,6 +373,7 @@ ipv4_output() { ## https://phabricator.whonix.org/T533#11025 if [ "$firewall_mode" = "timesync-fail-closed" ]; then local socks_port_item + [ "${info_enabled}" = "1" ] && output_cmd "firewall_mode='${firewall_mode}', closing all internal TCP ports ${INTERNAL_OPEN_PORTS}, except 9108 for sdwdate" for socks_port_item in $INTERNAL_OPEN_PORTS; do true "socks_port_item: $socks_port_item" ## SOCKS_PORT_SDWDATE @@ -634,5 +643,20 @@ main() { end } +usage(){ + echo "usage: ${0##*/} [options] + -i, --info print informational messages + -h, --help print this help message" +} + +while test -n $1; do + case $1 in + -i|--info) info_enabled=1; shift 1;; + "") break;; + -h|--help|*) usage; exit 1;; + esac +done + + source_config_folder main From b303e37017a25fe6893cc739cde430755f3c1f92 Mon Sep 17 00:00:00 2001 From: nyxnor Date: Mon, 26 Sep 2022 15:32:33 +0000 Subject: [PATCH 3/6] always inform SOCKSIFIED if set to '0' --- usr/bin/whonix-gateway-firewall | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/usr/bin/whonix-gateway-firewall b/usr/bin/whonix-gateway-firewall index c2e3ee2..f8de020 100755 --- a/usr/bin/whonix-gateway-firewall +++ b/usr/bin/whonix-gateway-firewall @@ -225,9 +225,7 @@ variables_defaults() { [ -n "$FLASHPROXY_PORT" ] || FLASHPROXY_PORT="9000" if [ ! "$WORKSTATION_ALLOW_SOCKSIFIED" = "1" ]; then - if [ "${info_enabled}" = "1" ]; then - output_cmd "INFO: WORKSTATION_ALLOW_SOCKSIFIED='${WORKSTATION_ALLOW_SOCKSIFIED}', Socks Ports will not be opened" - fi + output_cmd "INFO: WORKSTATION_ALLOW_SOCKSIFIED='${WORKSTATION_ALLOW_SOCKSIFIED}', Socks Ports will not be opened" return 0 fi From 682be4c3c74668f21aa873bfe92c3a52d8caf81b Mon Sep 17 00:00:00 2001 From: nyxnor Date: Mon, 26 Sep 2022 15:41:25 +0000 Subject: [PATCH 4/6] double quote "$@" --- usr/bin/whonix_firewall | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/usr/bin/whonix_firewall b/usr/bin/whonix_firewall index 1371ea3..81b0a98 100755 --- a/usr/bin/whonix_firewall +++ b/usr/bin/whonix_firewall @@ -13,13 +13,13 @@ set -e if [ -f "/run/qubes/this-is-templatevm" ]; then - whonix-workstation-firewall $@ + whonix-workstation-firewall "$@" elif [ -f "/usr/share/anon-gw-base-files/gateway" ]; then - whonix-gateway-firewall $@ + whonix-gateway-firewall "$@" elif [ -f "/usr/share/anon-ws-base-files/workstation" ]; then - whonix-workstation-firewall $@ + whonix-workstation-firewall "$@" elif [ -f "/usr/share/libvirt-dist/marker" ]; then - whonix-host-firewall $@ + whonix-host-firewall "$@" else echo "ERROR: Neither file /usr/share/anon-gw-base-files/gateway nor file /usr/share/anon-ws-base-files/workstation exists! If this is a Whonix-Gateway, package anon-gw-base-files needs to be installed. If this is a Whonix-Workstation, package anon-ws-base-files needs to be installed." >&2 exit 1 From 3c5fd6b4eb446cd997384818bee35d2baf0629bc Mon Sep 17 00:00:00 2001 From: nyxnor Date: Mon, 26 Sep 2022 15:49:08 +0000 Subject: [PATCH 5/6] be verbose no port is being opened --- usr/bin/whonix-gateway-firewall | 8 ++++---- usr/bin/whonix-workstation-firewall | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/usr/bin/whonix-gateway-firewall b/usr/bin/whonix-gateway-firewall index f8de020..30a64e7 100755 --- a/usr/bin/whonix-gateway-firewall +++ b/usr/bin/whonix-gateway-firewall @@ -412,16 +412,16 @@ ipv4_input_rules() { fi local local_port_to_open - if test -n "${EXTERNAL_OPEN_PORTS}" && [ "${info_enabled}" = "1" ]; then - output_cmd "INFO: Opening External TCP port(s): ${EXTERNAL_OPEN_PORTS}" + if [ "${info_enabled}" = "1" ]; then + output_cmd "INFO: Opening External TCP port(s): ${EXTERNAL_OPEN_PORTS:-"NONE"}" fi for local_port_to_open in $EXTERNAL_OPEN_PORTS; do $iptables_cmd -A INPUT -i "$ext_if_item" -p tcp --dport "$local_port_to_open" -j ACCEPT done local local_udp_port_to_open - if test -n "${EXTERNAL_UDP_OPEN_PORTS}" && [ "${info_enabled}" = "1" ]; then - output_cmd "INFO: Opening External UDP port(s): ${EXTERNAL_UDP_OPEN_PORTS}" + if [ "${info_enabled}" = "1" ]; then + output_cmd "INFO: Opening External UDP port(s): ${EXTERNAL_UDP_OPEN_PORTS:-"NONE"}" fi for local_udp_port_to_open in $EXTERNAL_UDP_OPEN_PORTS; do $iptables_cmd -A INPUT -p udp --dport "$local_udp_port_to_open" -j ACCEPT diff --git a/usr/bin/whonix-workstation-firewall b/usr/bin/whonix-workstation-firewall index b3b8a00..84fd382 100755 --- a/usr/bin/whonix-workstation-firewall +++ b/usr/bin/whonix-workstation-firewall @@ -274,16 +274,16 @@ ipv4_input_rules() { true "firewall_mode is $firewall_mode, therefore not opening EXTERNAL_OPEN_PORTS." else local local_port_to_open - if test -n "${EXTERNAL_OPEN_PORTS}" && [ "${info_enabled}" = "1" ]; then - output_cmd "INFO: Opening External TCP port(s): ${EXTERNAL_OPEN_PORTS}" + if [ "${info_enabled}" = "1" ]; then + output_cmd "INFO: Opening External TCP port(s): ${EXTERNAL_OPEN_PORTS:-"NONE"}" fi for local_port_to_open in $EXTERNAL_OPEN_PORTS; do $iptables_cmd -A INPUT -p tcp --dport "$local_port_to_open" -j ACCEPT done local local_udp_port_to_open - if test -n "${EXTERNAL_UDP_OPEN_PORTS}" && [ "${info_enabled}" = "1" ]; then - output_cmd "INFO: Opening External UDP port(s): ${EXTERNAL_UDP_OPEN_PORTS}" + if [ "${info_enabled}" = "1" ]; then + output_cmd "INFO: Opening External UDP port(s): ${EXTERNAL_UDP_OPEN_PORTS:-"NONE"}" fi for local_udp_port_to_open in $EXTERNAL_UDP_OPEN_PORTS; do From 5ec6e1fac57c5dd6d5f6a80170c61476e95141b3 Mon Sep 17 00:00:00 2001 From: nyxnor Date: Mon, 26 Sep 2022 15:58:16 +0000 Subject: [PATCH 6/6] not opening ports instead of closing, wording --- usr/bin/whonix-gateway-firewall | 2 +- usr/bin/whonix-workstation-firewall | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/bin/whonix-gateway-firewall b/usr/bin/whonix-gateway-firewall index 30a64e7..42f8477 100755 --- a/usr/bin/whonix-gateway-firewall +++ b/usr/bin/whonix-gateway-firewall @@ -654,7 +654,7 @@ ipv4_output() { ## https://phabricator.whonix.org/T533#11025 if [ "$firewall_mode" = "timesync-fail-closed" ]; then if [ "${info_enabled}" = "1" ]; then - output_cmd "INFO: firewall_mode=${firewall_mode}, closing Internal TCP port(s): ${INTERNAL_OPEN_PORTS}, except 9108 for sdwdate" + output_cmd "INFO: not opening Internal TCP port(s): ${INTERNAL_OPEN_PORTS}, except 9108 for sdwdate, because firewall_mode=${firewall_mode}" fi local socks_port_item for socks_port_item in $INTERNAL_OPEN_PORTS; do diff --git a/usr/bin/whonix-workstation-firewall b/usr/bin/whonix-workstation-firewall index 84fd382..4a7213e 100755 --- a/usr/bin/whonix-workstation-firewall +++ b/usr/bin/whonix-workstation-firewall @@ -373,7 +373,7 @@ ipv4_output() { ## https://phabricator.whonix.org/T533#11025 if [ "$firewall_mode" = "timesync-fail-closed" ]; then local socks_port_item - [ "${info_enabled}" = "1" ] && output_cmd "firewall_mode='${firewall_mode}', closing all internal TCP ports ${INTERNAL_OPEN_PORTS}, except 9108 for sdwdate" + [ "${info_enabled}" = "1" ] && output_cmd "INFO: not opening Internal TCP ports ${INTERNAL_OPEN_PORTS}, except 9108 for sdwdate, because firewall_mode=$firewall_mode" for socks_port_item in $INTERNAL_OPEN_PORTS; do true "socks_port_item: $socks_port_item" ## SOCKS_PORT_SDWDATE