## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. #### meta start #### project Whonix #### category networking and firewall and vpn #### description ## undocumented #### meta end ## Whonix /etc/whonix_firewall.d/30_default.conf ## Please use "/etc/whonix_firewall.d/50_user.conf" for your custom configuration, ## which will override the defaults found here. When Whonix is updated, this ## file may be overwritten. ## Only apply this config to Whonix-Host. if [ ! -f "/usr/share/libvirt-dist/marker" ]; then return 0 fi ########################### ## VPN-Firewall Settings ## ########################### ## NOT YET IMPLEMENTED! ## UNTESTED! ## Make sure Tor always connects through the VPN. ## Enable: 1 ## Disable: 0 ## DISABELD BY DEFAULT, because it requires a VPN provider. #VPN_FIREWALL=1 ## IP address of the VPN server. ## Get the IP using: nslookup vpn-example-server.org ## Example: seattle.vpn.riseup.net ## Some providers provide multiple VPN servers. ## You can enter multiple IP addresses, separated by spaces. #VPN_SERVERS="198.252.153.26" ## For OpenVPN. #VPN_INTERFACE=tun0 ## Destinations you don not want routed through the VPN. ## 10.0.2.2/24: VirtualBox DHCP #LOCAL_NET="192.168.1.0/24 192.168.0.0/24 127.0.0.0/8 10.152.152.0/24 10.0.2.2/24" ############################# ## SSH into Whonix-Host ## ############################# ## This will simply open incoming port 22 in the Whonix-Host firewall. ## A port forwarding from the host to the Whonix-Host has still to be created, ## see SSH into Whonix-Host. ## Experts only! GATEWAY_ALLOW_INCOMING_SSH=0 ########## ## Misc ## ########## ## Reject invalid outgoing packages (0) or do not reject them (1). NO_REJECT_INVALID_OUTGOING_PACKAGES=0 ## NOT YET IMPLEMENTED! ## Destinations you don not want routed through Tor, only for Whonix-Gateway! ## 10.0.2.2/24: VirtualBox DHCP #NON_TOR_GATEWAY="192.168.1.0/24 192.168.0.0/24 127.0.0.0/8 10.152.152.0/24 10.0.2.2/24" ## Drop all incoming ICMP traffic. ## Enable: 1 ## Disable: 0 ## DISABLED BY DEFAULT GATEWAY_ALLOW_INCOMING_ICMP=0 ## Allow fragmentation-needed ICMP packets to avoid MTU problems ## when Whonix-Gateway is connected to a link that has smaller ## MTU than 1500 assumed by Whonix-Gateway ## Enable: 1 ## Disable: 0 ## ENABLED BY DEFAULT GATEWAY_ALLOW_INCOMING_ICMP_FRAG_NEEDED=1