## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Please use "/etc/whonix_firewall.d/50_user.conf" for your custom ## configuration, which will override the defaults found here. When Whonix is ## updated, this file may be overwritten. ## Only apply this config to Whonix-Workstation. if [ ! -f "/usr/share/anon-ws-base-files/workstation" ]; then return 0 fi #### meta start #### project Whonix #### category networking and firewall and vpn and dns #### workstation_only yes #### description ## Whonix firewall configuration file #### meta end ######################## ## Open External Ports # ######################## ## Open ports on all network interfaces, gateway as well as (if any) tunnel (VPN) interfaces. ## TCP only. UDP see below. Other protocols would require ## firewall modifications. #EXTERNAL_OPEN_PORTS+=" 22 " #EXTERNAL_OPEN_PORTS+=" 80 " ## Ports you wish to open on all network interfaces. UDP only. #EXTERNAL_UDP_OPEN_PORTS+=" 5300 " ## Open all ports on all network interfaces. #EXTERNAL_OPEN_ALL=true ######################## ## Open Outgoing Ports # ######################## ## Prevent connections to Tor SocksPorts ## in timesync-fail-closed firewall mode. ## https://forums.whonix.org/t/iptables-block-network-access-until-sdwdate-succeeded/18872 #INTERNAL_OPEN_PORTS+=" 22 " ######################### ## Allowed Outgoing IPs # ######################### ## Restrict outgoing IPs. ## WARNING: Not implemented for TUNNEL_FIREWALL_ENABLE=true, in that case ## consider researching setting up a firewall for VPN_INTERFACE. #outgoing_allow_ip_list+=" 95.216.25.250 " ########## ## Misc ## ########## ## IP HARDCODED. If you want to change IP, set variable GATEWAY_IP through a ## drop-in configuration snippet in /etc/whonix_firewall.d ## configuration folder instead. #GATEWAY_IP="10.152.152.10" NO_REJECT_INVALID_OUTGOING_PACKAGES=0 ## Setting firewall_mode always to full by default because the following ## usability issues are not yet resolved. Help welcome! ## Non-Qubes-Whonix: enable sdwdate-gui systray by default ## https://forums.whonix.org/t/enable-sdwdate-gui-systray-by-default/18774 ## Qubes-Whonix: make sdwdate-gui Qubes friendly ## https://forums.whonix.org/t/make-sdwdate-gui-qubes-friendly-sdwdate-gui-qubes/18871 firewall_mode=full ## Outgoing UDP. #firewall_allow_udp=true ############################## ## Tunnel Firewall Settings ## ############################## ## Make sure Tor always connects through the tunnel (such as VPN). ## Enable: 1 ## Disable: 0 ## DISABELD BY DEFAULT, because it requires a tunnel provider. ## (Previously this option was called 'VPN_FIREWALL=1'.) #TUNNEL_FIREWALL_ENABLE=true ## For OpenVPN. #VPN_INTERFACE=tun0 ## Destinations you don not want routed through the VPN. ## 10.0.2.2-10.0.2.24: VirtualBox DHCP ## Non-Qubes-Whonix defaults to: # LOCAL_NET="\ # 127.0.0.0-127.0.0.24 \ # 192.168.0.0-192.168.0.24 \ # 192.168.1.0-192.168.1.24 \ # 10.152.152.0-10.152.152.24 \ # 10.0.2.2-10.0.2.24 \ # " ## Allow connections to LOCAL_NET. ## Enables above. ## Be careful with this. Otherwise applications still configured - and some are ## configured by Whonix default - to use proxy settings - would connect to Tor ## directly while circumventing the tunnel, i.e. ## user -> Tor -> destination ## This includes Tor Browser, curl, wget, git and others. ## See Whonix documentation on tunnels. ## Defaults to: ## false #TUNNEL_FIREWALL_ALLOW_LOCAL_NET=true ## Allow sdwdate user to circumvent the tunnel, i.e. ## user -> Tor -> destination ## Since sdwdate only connects to Tor hidden services, sdwdate would not work ## without this setting. ## Defaults to: ## false #TUNNEL_FIREWALL_ALLOW_SDWDATE_USER=true ## Allow systemcheck to circumvent the tunnel, i.e. ## user -> Tor -> destination #TUNNEL_FIREWALL_ALLOW_SYSTEMCHECK=true ## Allow Tor Browser Downloader by Whonix developers circumvent the tunnel, i.e. ## user -> Tor -> destination #TUNNEL_FIREWALL_ALLOW_TB_UPDATER=true