{{Header}}
{{#seo:
|description=General information about {{project_name_gateway_long}} firewall. How-To: Changing firewall settings and Open a Port in {{project_name_gateway_long}} Firewall.
|image=Firewall146529640.png
}}
{{firewall_mininav}}
[[File:Firewall146529640.png|thumb|200px]]
{{intro|
General information about {{project_name_gateway_short}} firewall. How-To: Changing firewall settings and Open a Port in {{project_name_gateway_short}} Firewall.
}}
= Introduction =
{{project_name_long}} has an iptables rules script and firewall configuration file for both {{project_name_gateway_short}} and {{project_name_workstation_long}}. {{project_name_gateway_short}} firewall features include: [
https://github.com/{{project_name_short}}/whonix-firewall
]
* transparent proxying
* stream isolation
* reject invalid packages
* fail closed mechanism
* optional VPN-Firewall
* optional isolating proxy
* optional incoming flash proxy
* optional Tor relay
The firewall should not be removed unless you no longer wish to use {{project_name_short}}.
= {{project_name_gateway_short}} Firewall Settings =
{{Box|text=
'''1.''' {{Firewall_Settings_Gateway}}
'''2.''' Add setting.
'''3.''' Save.
'''4.''' {{Reload_Firewall}}
'''5.''' Done.
The procedure is complete.
}}
= How-to: Open an Incoming Port on {{project_name_gateway_short}} Firewall =
== From the Outside ==
{{Firewall_Custom}}
'''Host → {{project_name_gateway_short}}
'''Internet → Host → {{project_name_gateway_short}}
This will allow an incoming connection on {{project_name_gateway_short}} originating from:
* if using VM: the host.
* if using physical isolation: the Internet.
{{Box|text=
'''1.''' {{Firewall_Settings}}
'''2.''' Add.
Replace 80 with the actual port you would like to open.
{{CodeSelect|code=
EXTERNAL_OPEN_PORTS+=" 80 "
}}
'''3.''' Save.
'''4.''' {{Reload_Firewall}}
'''5.''' Done.
The procedure is complete.
}}
== For Connections Originating from {{project_name_workstation_short}} ==
{{Firewall_Custom}}
'''{{project_name_workstation_short}} → {{project_name_gateway_short}}'''
This will allow incoming connections from {{project_name_workstation_short}} to {{project_name_gateway_short}}.
It might be useful for [[Tor#Additional_SocksPorts|Tor additional SocksPorts]]. ('''{{project_name_workstation_short}} → {{project_name_gateway_short}} → Tor SocksPort''')
{{Box|text=
'''1.''' {{Firewall_Settings}}
'''2.''' Add.
Note: Replace 9230 with the actual port you would like to open. [
https://forums.whonix.org/t/internal-open-ports-setting/11404/1
]
{{CodeSelect|code=
INTERNAL_OPEN_PORTS+=" 9230 "
}}
'''3.''' Save.
'''4.''' {{Reload_Firewall}}
The procedure is complete.
}}
= Disable Socksified Connections =
The following setting prevents Whonix-Workstation from making sockified connections, i.e. applications talking to a Tor SocksPort listening on Whonix-Gateway.
Add the following setting to Whonix-Gateway firewall configuration.
{{CodeSelect|code=
WORKSTATION_ALLOW_SOCKSIFIED=0
}}
= Disable Transparent Proxying =
What is transparent proxying? See [[Stream_Isolation#Transparent_Proxy|Transparent Proxy]].
How to disable transparent proxying? See [[Stream_Isolation#Disable_Transparent_Proxying|Disable Transparent Proxying]].
= See Also =
* [[Ports|Open a Port(s) in {{project_name_short}} and Port Forwarding]]
* [[Configuration_Files#Configuration_Drop-In_Folders|{{project_name_short}} Configuration Drop-In Folders]]
* https://github.com/Whonix/whonix-firewall/blob/master/etc/whonix_firewall.d/30_whonix_gateway_default.conf
* https://github.com/Whonix/whonix-firewall/blob/master/usr/bin/whonix-gateway-firewall
* https://github.com/Whonix/whonix-firewall
* [[{{project_name_workstation_short}}_Firewall|{{project_name_workstation_short}} Firewall]]
* [[Install_Software#Whonix-Workstation_is_Firewalled|{{project_name_workstation_short}} is Firewalled]]
* [[Redirect_Whonix-Workstation_Ports_or_Unix_Domain_Socket_Files_to_Whonix-Gateway|Redirect Whonix-Workstation Ports or Unix Domain Socket Files to Whonix-Gateway]]
= Footnotes =
{{reflist|close=1}}
{{Footer}}
[[Category:Documentation]]