diff --git a/usr/bin/whonix-gateway-firewall b/usr/bin/whonix-gateway-firewall index dbf1880..c0f216a 100755 --- a/usr/bin/whonix-gateway-firewall +++ b/usr/bin/whonix-gateway-firewall @@ -107,7 +107,7 @@ variables_defaults() { ## drop-in configuration snippet in /etc/whonix_firewall.d ## configuration folder instead. NON_TOR_GATEWAY="\ - 127.0.0.0/24 \ + 127.0.0.0/8 \ 192.168.0.0/24 \ 192.168.1.0/24 \ 10.152.152.0/24 \ @@ -116,11 +116,31 @@ variables_defaults() { fi fi + if [ -z "${NON_TOR_GATEWAY_IP6:-}" ]; then + if test -f /usr/share/qubes/marker-vm; then + NON_TOR_GATEWAY_IP6="" + else + ## 10.0.2.2/24: VirtualBox DHCP + ## IP HARDCODED. If you want to change IP, set variable GATEWAY_IP through a + ## drop-in configuration snippet in /etc/whonix_firewall.d + ## configuration folder instead. + NON_TOR_GATEWAY_IP6="\ + ::1/128 \ + fd19:c33d:88bc::0/96 \ + ::ffff:127.0.0.0/104 \ + ::ffff:192.168.0.0/120 \ + ::ffff:192.168.1.0/120 \ + ::ffff:10.152.152.0/120 \ + ::ffff:10.0.2.2/120 \ + " + fi + fi + ## Destinations you do not routed through VPN, only for Whonix-Gateway. if [ -z "${LOCAL_NET:-}" ]; then if test -f /usr/share/qubes/marker-vm; then LOCAL_NET="\ - 127.0.0.0/24 \ + 127.0.0.0/8 \ 10.137.0.0/16 \ 10.138.0.0/16 \ " @@ -130,7 +150,7 @@ variables_defaults() { ## drop-in configuration snippet in /etc/whonix_firewall.d ## configuration folder instead. LOCAL_NET="\ - 127.0.0.0/24 \ + 127.0.0.0/8 \ 192.168.0.0/24 \ 192.168.1.0/24 \ 10.152.152.0/24 \ @@ -139,6 +159,35 @@ variables_defaults() { fi fi + + ## Destinations you do not routed through VPN, only for Whonix-Gateway. + if [ -z "${LOCAL_NET_IP6:-}" ]; then + if test -f /usr/share/qubes/marker-vm; then + LOCAL_NET_IP6="\ + ::1/128 \ + fd09:24ef:4179::a8a:/112 \ + fd09:24ef:4179::a89:/112 \ + ::ffff:127.0.0.0/104 \ + ::ffff:10.137.0.0/112 \ + ::ffff:10.138.0.0/112 \ + " + else + ## 10.0.2.2/24: VirtualBox DHCP + ## IP HARDCODED. If you want to change IP, set variable GATEWAY_IP through a + ## drop-in configuration snippet in /etc/whonix_firewall.d + ## configuration folder instead. + LOCAL_NET_IP6="\ + ::1/128 \ + fd19:c33d:88bc::0/96 \ + ::ffff:127.0.0.0/104 \ + ::ffff:192.168.0.0/120 \ + ::ffff:192.168.1.0/120 \ + ::ffff:10.152.152.0/120 \ + ::ffff:10.0.2.2/120 \ + " + fi + fi + if [ -z "${WORKSTATION_DEST_SOCKSIFIED:-}" ]; then ## 10.152.152.10 - Non-Qubes-Whonix-Gateway IP ## @@ -153,18 +202,38 @@ variables_defaults() { 10.138.0.0/16 \ 10.152.152.10 \ " + else + ## Non-Qubes-Whonix: + ## IP HARDCODED. If you want to change IP, set variable GATEWAY_IP through a + ## drop-in configuration snippet in /etc/whonix_firewall.d + ## configuration folder instead. + WORKSTATION_DEST_SOCKSIFIED="10.152.152.10" + fi + fi + + if [ -z "${WORKSTATION_DEST_SOCKSIFIED_IPV6:-}" ]; then + ## fd19:c33d:88bc::10 - Non-Qubes-Whonix-Gateway IP + ## + ## fd09:24ef:4179::a89/112 - persistent Qubes-Whonix-Gateway IP range + ## fd09:24ef:4179::a8a/112 - DispVM Qubes-Whonix-Gateway IP range + if test -f /usr/share/qubes/marker-vm; then + ## https://forums.whonix.org/t/whonix-gateway-not-reachable/7484/16 + ## Qubes-Whonix: + ## IP HARDCODED. IP 10.152.152.10 is hardcoded in some places. WORKSTATION_DEST_SOCKSIFIED_IPV6="\ + fd09:24ef:4179::a8a:/112 \ + fd09:24ef:4179::a89:/112 \ ::ffff:10.137.0.0/112 \ ::ffff:10.139.0.0/112 \ ::ffff:10.152.152.10 \ + fd19:c33d:88bc::10 \ " else ## Non-Qubes-Whonix: ## IP HARDCODED. If you want to change IP, set variable GATEWAY_IP through a ## drop-in configuration snippet in /etc/whonix_firewall.d ## configuration folder instead. - WORKSTATION_DEST_SOCKSIFIED="10.152.152.10" - WORKSTATION_DEST_SOCKSIFIED_IPV6="::ffff:10.152.152.10" + WORKSTATION_DEST_SOCKSIFIED_IPV6="fd19:c33d:88bc::10" fi fi } @@ -242,8 +311,9 @@ nft_output() { local non_tor_gateway_item for non_tor_gateway_item in $NON_TOR_GATEWAY; do $nftables_cmd add rule inet nat output ip daddr "$non_tor_gateway_item" counter return - $nftables_cmd add rule inet nat output ip6 daddr "::ffff:$non_tor_gateway_item" counter return - ## TODO: IPv6 test + done + for non_tor_gateway_item in $NON_TOR_GATEWAY_IP6; do + $nftables_cmd add rule inet nat output ip6 daddr "$non_tor_gateway_item" counter return done fi @@ -257,6 +327,9 @@ nft_output() { ## Existing connections are accepted. $nftables_cmd add rule inet filter output ct state established counter accept + # Accept ICMPv6 neighbor discovery. + $nftables_cmd add rule inet filter output icmpv6 type "{ nd-neighbor-solicit, nd-neighbor-advert }" counter accept + if [ "$firewall_mode" = "full" ]; then ## Accept outgoing connections to local network, Whonix-Workstation and VirtualBox, ## unless VPN_FIREWALL mode is enabled. @@ -265,8 +338,9 @@ nft_output() { local non_tor_gateway_item for non_tor_gateway_item in $NON_TOR_GATEWAY; do $nftables_cmd add rule inet filter output ip daddr "$non_tor_gateway_item" counter accept - $nftables_cmd add rule inet filter output ip6 daddr "::ffff:$non_tor_gateway_item" counter accept - ## TODO: IPv6 test + done + for non_tor_gateway_item in $NON_TOR_GATEWAY_IP6; do + $nftables_cmd add rule inet filter output ip6 daddr "$non_tor_gateway_item" counter accept done fi fi @@ -279,8 +353,9 @@ nft_output() { local local_net_item for local_net_item in $LOCAL_NET; do $nftables_cmd add rule inet filter output ip daddr "$local_net_item" counter accept - $nftables_cmd add rule inet filter output ip6 daddr "::ffff:$local_net_item" counter accept - ## TODO: IPv6 test + done + for local_net_item in $LOCAL_NET_IP6; do + $nftables_cmd add rule inet filter output ip6 daddr "$local_net_item" counter accept done fi fi @@ -369,7 +444,9 @@ INTERNAL_OPEN_PORTS INT_IF INT_TIF LOCAL_NET +LOCAL_NET_IP6 NON_TOR_GATEWAY +NON_TOR_GATEWAY_IP6 NO_NAT_USERS NO_REJECT_INVALID_OUTGOING_PACKAGES OR_PORT diff --git a/usr/bin/whonix-host-firewall b/usr/bin/whonix-host-firewall index 265b728..04015aa 100755 --- a/usr/bin/whonix-host-firewall +++ b/usr/bin/whonix-host-firewall @@ -14,6 +14,7 @@ variables_defaults(){ ## 10.0.2.2/24: VirtualBox DHCP [ -n "${NON_TOR_GATEWAY:-}" ] || NON_TOR_GATEWAY="192.168.1.0/24 192.168.0.0/24 127.0.0.0/8 10.152.152.0/24 10.0.2.2/24" + [ -n "${NON_TOR_GATEWAY_IP6:-}" ] || NON_TOR_GATEWAY_IP6="::1/128 fd19:c33d:88bc::0/96 ::ffff:192.168.1.0/120 ::ffff:192.168.0.0/120 ::ffff:127.0.0.0/104 ::ffff:10.152.152.0/120 ::ffff:10.0.2.2/120" ## Space separated list of VPN servers, which Whonix-Gateway is allowed to connect to. [ -n "${VPN_SERVERS:-}" ] || VPN_SERVERS="198.252.153.26" @@ -21,6 +22,7 @@ variables_defaults(){ ## Destinations you do not routed through VPN, only for Whonix-Gateway. ## 10.0.2.2/24: VirtualBox DHCP [ -n "${LOCAL_NET:-}" ] || LOCAL_NET="192.168.1.0/24 192.168.0.0/24 127.0.0.0/8 10.152.152.0/24 10.0.2.2/24" + [ -n "${LOCAL_NET_IP6:-}" ] || LOCAL_NET_IP6="::1/128 fd19:c33d:88bc::0/96 ::ffff:192.168.1.0/120 ::ffff:192.168.0.0/120 ::ffff:127.0.0.0/104 ::ffff:10.152.152.0/120 ::ffff:10.0.2.2/120" [ -n "${GATEWAY_ALLOW_INCOMING_RELATED_STATE:-}" ] || GATEWAY_ALLOW_INCOMING_RELATED_STATE="" [ -n "${GATEWAY_ALLOW_INCOMING_ICMP:-}" ] || GATEWAY_ALLOW_INCOMING_ICMP=0 @@ -90,7 +92,7 @@ nft_output(){ ## when VPN_FIREWALL mode is enabled. ## DISABLED BY DEFAULT. for SERVER in $VPN_SERVERS; do - $nftables_cmd add rule inet filter output ip daddr "$SERVER" counter jump accept + $nftables_cmd add rule inet filter output inet daddr "$SERVER" counter jump accept done else ## Accept outgoing connections to local network, Whonix-Workstation and VirtualBox, @@ -99,6 +101,9 @@ nft_output(){ for NET in $NON_TOR_GATEWAY; do $nftables_cmd add rule inet filter output ip daddr "$NET" counter jump accept done + for NET in $NON_TOR_GATEWAY_IP6; do + $nftables_cmd add rule inet filter output ip6 daddr "$NET" counter jump accept + done fi ## clearnet user is allowed to connect any outside target. diff --git a/usr/bin/whonix-workstation-firewall b/usr/bin/whonix-workstation-firewall index 51e5b36..5c9fce0 100755 --- a/usr/bin/whonix-workstation-firewall +++ b/usr/bin/whonix-workstation-firewall @@ -39,11 +39,13 @@ variables_defaults() { ## Would fail if netvm is set to 'none', ## which is the case in Qubes R4 TemplateVMs. [ -n "${GATEWAY_IP:-}" ] || GATEWAY_IP="$(qubesdb-read /qubes-gateway 2> /dev/null)" || GATEWAY_IP="127.0.0.1" + [ -n "${GATEWAY_IP6:-}" ] || GATEWAY_IP6="::ffff:$(qubesdb-read /qubes-gateway6 2> /dev/null)" || GATEWAY_IP6="::1" else ## IP HARDCODED. If you want to change IP, set variable GATEWAY_IP through a ## drop-in configuration snippet in /etc/whonix_firewall.d ## configuration folder instead. [ -n "${GATEWAY_IP:-}" ] || GATEWAY_IP="10.152.152.10" + [ -n "${GATEWAY_IP6:-}" ] || GATEWAY_IP6="fd19:c33d:88bc::10" fi ## Since hardcoded in anon-ws-disable-stacked-tor. @@ -51,6 +53,7 @@ variables_defaults() { ## drop-in configuration snippet in /etc/whonix_firewall.d ## configuration folder instead. [ -n "${GATEWAY_IP_HARDCODED:-}" ] || GATEWAY_IP_HARDCODED="10.152.152.10" + [ -n "${GATEWAY_IP6_HARDCODED:-}" ] || GATEWAY_IP6_HARDCODED="fd19:c33d:88bc::10" [ -n "${TUNNEL_FIREWALL_ALLOW_CONTROL_PORT_FILTER_PROXY:-}" ] || TUNNEL_FIREWALL_ALLOW_CONTROL_PORT_FILTER_PROXY="" [ -n "${TUNNEL_FIREWALL_ALLOW_LOCAL_NET:-}" ] || TUNNEL_FIREWALL_ALLOW_LOCAL_NET="" @@ -63,7 +66,7 @@ variables_defaults() { if [ -z "${LOCAL_NET:-}" ]; then if test -f /usr/share/qubes/marker-vm; then LOCAL_NET="\ - 127.0.0.0/24 \ + 127.0.0.0/8 \ 10.137.0.0/16 \ 10.138.0.0/16 \ " @@ -71,7 +74,7 @@ variables_defaults() { ## 10.0.2.2/24: VirtualBox DHCP ## IP HARDCODED unfortunately. Use a /etc/whonix_firewall.d configuration folder drop-in if you want to change it. LOCAL_NET="\ - 127.0.0.0/24 \ + 127.0.0.0/8 \ 192.168.0.0/24 \ 192.168.1.0/24 \ 10.152.152.0/24 \ @@ -80,6 +83,31 @@ variables_defaults() { fi fi + if [ -z "${LOCAL_NET_IP6:-}" ]; then + if test -f /usr/share/qubes/marker-vm; then + LOCAL_NET_IP6="\ + ::1/128 \ + fd09:24ef:4179::a8a:/112 \ + fd09:24ef:4179::a89:/112 \ + ::ffff:127.0.0.0/104 \ + ::ffff:10.137.0.0/112 \ + ::ffff:10.138.0.0/112 \ + " + else + ## 10.0.2.2/24: VirtualBox DHCP + ## IP HARDCODED unfortunately. Use a /etc/whonix_firewall.d configuration folder drop-in if you want to change it. + LOCAL_NET_IP6="\ + ::1/128 \ + fd19:c33d:88bc::0/96 \ + ::ffff:127.0.0.0/104 \ + ::ffff:192.168.0.0/120 \ + ::ffff:192.168.1.0/120 \ + ::ffff:10.152.152.0/120 \ + ::ffff:10.0.2.2/120 \ + " + fi + fi + } nft_defaults() { @@ -145,6 +173,9 @@ nft_input_rules() { ## Established incoming connections are accepted. $nftables_cmd add rule inet filter input ct state established counter accept + # Accept ICMPv6 neighbor discovery. + $nftables_cmd add rule inet filter input icmpv6 type "{ nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect }" counter accept + ## Allow all incoming connections on the virtual VPN network interface, ## when TUNNEL_FIREWALL_ENABLE mode is enabled. ## DISABLED BY DEFAULT. @@ -246,10 +277,9 @@ nft_output() { $nftables_cmd add rule inet filter output skuid "$SDWDATE_USER" ip daddr 127.0.0.1 counter accept $nftables_cmd add rule inet filter output skuid "$SDWDATE_USER" ip6 daddr ::1 counter accept $nftables_cmd add rule inet filter output skuid "$SDWDATE_USER" ip daddr "$GATEWAY_IP" counter accept - $nftables_cmd add rule inet filter output skuid "$SDWDATE_USER" ip6 daddr "::ffff:$GATEWAY_IP" counter accept + $nftables_cmd add rule inet filter output skuid "$SDWDATE_USER" ip6 daddr "$GATEWAY_IP6" counter accept $nftables_cmd add rule inet filter output skuid "$SDWDATE_USER" ip daddr "$GATEWAY_IP_HARDCODED" counter accept - $nftables_cmd add rule inet filter output skuid "$SDWDATE_USER" ip6 daddr "::ffff:$GATEWAY_IP_HARDCODED" counter accept - ## TODO: IPv6 test + $nftables_cmd add rule inet filter output skuid "$SDWDATE_USER" ip6 daddr "$GATEWAY_IP6_HARDCODED" counter accept fi fi @@ -258,10 +288,9 @@ nft_output() { $nftables_cmd add rule inet filter output skuid "$NOTUNNEL_USER" ip daddr 127.0.0.1 counter accept $nftables_cmd add rule inet filter output skuid "$NOTUNNEL_USER" ip6 daddr ::1 counter accept $nftables_cmd add rule inet filter output skuid "$NOTUNNEL_USER" ip daddr "$GATEWAY_IP" counter accept - $nftables_cmd add rule inet filter output skuid "$NOTUNNEL_USER" ip6 daddr "::ffff:$GATEWAY_IP" counter accept + $nftables_cmd add rule inet filter output skuid "$NOTUNNEL_USER" ip6 daddr "$GATEWAY_IP6" counter accept $nftables_cmd add rule inet filter output skuid "$NOTUNNEL_USER" ip daddr "$GATEWAY_IP_HARDCODED" counter accept - $nftables_cmd add rule inet filter output skuid "$NOTUNNEL_USER" ip6 daddr "::ffff:$GATEWAY_IP_HARDCODED" counter accept - ## TODO: IPv6 test + $nftables_cmd add rule inet filter output skuid "$NOTUNNEL_USER" ip6 daddr "$GATEWAY_IP6_HARDCODED" counter accept fi fi @@ -273,8 +302,9 @@ nft_output() { local local_net_item for local_net_item in $LOCAL_NET; do $nftables_cmd add rule inet filter output ip daddr "$local_net_item" counter accept - $nftables_cmd add rule inet filter output ip6 daddr "::ffff:$local_net_item" counter accept - ## TODO: IPv6 test + done + for local_net_item in $LOCAL_NET_IP6; do + $nftables_cmd add rule inet filter output ip6 daddr "$local_net_item" counter accept done fi fi @@ -283,10 +313,9 @@ nft_output() { $nftables_cmd add rule inet filter output ip daddr 127.0.0.1 tcp dport "$CONTROL_PORT_FILTER_PROXY_PORT" counter accept $nftables_cmd add rule inet filter output ip6 daddr ::1 tcp dport "$CONTROL_PORT_FILTER_PROXY_PORT" counter accept $nftables_cmd add rule inet filter output ip daddr "$GATEWAY_IP" tcp dport "$CONTROL_PORT_FILTER_PROXY_PORT" counter accept - $nftables_cmd add rule inet filter output ip6 daddr "::ffff:$GATEWAY_IP" tcp dport "$CONTROL_PORT_FILTER_PROXY_PORT" counter accept + $nftables_cmd add rule inet filter output ip6 daddr "$GATEWAY_IP6" tcp dport "$CONTROL_PORT_FILTER_PROXY_PORT" counter accept $nftables_cmd add rule inet filter output ip daddr "$GATEWAY_IP_HARDCODED" tcp dport "$CONTROL_PORT_FILTER_PROXY_PORT" counter accept - $nftables_cmd add rule inet filter output ip6 daddr "::ffff:$GATEWAY_IP_HARDCODED" tcp dport "$CONTROL_PORT_FILTER_PROXY_PORT" counter accept - ## TODO: IPv6 test + $nftables_cmd add rule inet filter output ip6 daddr "$GATEWAY_IP6_HARDCODED" tcp dport "$CONTROL_PORT_FILTER_PROXY_PORT" counter accept fi if [ "$TUNNEL_FIREWALL_ALLOW_TB_UPDATER" = "true" ]; then @@ -295,10 +324,9 @@ nft_output() { else ## SOCKS_PORT_TBB_DOWNLOAD $nftables_cmd add rule inet filter output ip daddr "$GATEWAY_IP" tcp dport 9115 counter accept - $nftables_cmd add rule inet filter output ip6 daddr "::ffff:$GATEWAY_IP" tcp dport 9115 counter accept + $nftables_cmd add rule inet filter output ip6 daddr "$GATEWAY_IP6" tcp dport 9115 counter accept $nftables_cmd add rule inet filter output ip daddr "$GATEWAY_IP_HARDCODED" tcp dport 9115 counter accept - $nftables_cmd add rule inet filter output ip6 daddr "::ffff:$GATEWAY_IP_HARDCODED" tcp dport 9115 counter accept - ## TODO: IPv6 test + $nftables_cmd add rule inet filter output ip6 daddr "$GATEWAY_IP6_HARDCODED" tcp dport 9115 counter accept fi fi @@ -307,9 +335,12 @@ nft_output() { true else if [ -n "$SYSTEMCHECK_USER" ]; then - $nftables_cmd add rule inet filter output skuid "$SYSTEMCHECK_USER" inet daddr 127.0.0.1 counter accept + $nftables_cmd add rule inet filter output skuid "$SYSTEMCHECK_USER" ip daddr 127.0.0.1 counter accept + $nftables_cmd add rule inet filter output skuid "$SYSTEMCHECK_USER" ip6 daddr ::1 counter accept $nftables_cmd add rule inet filter output skuid "$SYSTEMCHECK_USER" inet daddr "$GATEWAY_IP" counter accept + $nftables_cmd add rule inet filter output skuid "$SYSTEMCHECK_USER" inet daddr "$GATEWAY_IP6" counter accept $nftables_cmd add rule inet filter output skuid "$SYSTEMCHECK_USER" inet daddr "$GATEWAY_IP_HARDCODED" counter accept + $nftables_cmd add rule inet filter output skuid "$SYSTEMCHECK_USER" inet daddr "$GATEWAY_IP6_HARDCODED" counter accept fi fi fi @@ -320,10 +351,9 @@ nft_output() { true "firewall_mode is $firewall_mode, therefore allowing DNS traffic." ## Allow Whonix-Workstation to query Whonix-Gateway for DNS. $nftables_cmd add rule inet filter output ip daddr "$GATEWAY_IP" udp dport 53 counter accept - $nftables_cmd add rule inet filter output ip6 daddr "::ffff:$GATEWAY_IP" udp dport 53 counter accept + $nftables_cmd add rule inet filter output ip6 daddr "$GATEWAY_IP6" udp dport 53 counter accept $nftables_cmd add rule inet filter output ip daddr "$GATEWAY_IP_HARDCODED" udp dport 53 counter accept - $nftables_cmd add rule inet filter output ip6 daddr "::ffff:$GATEWAY_IP_HARDCODED" udp dport 53 counter accept - ## TODO: IPv6 test + $nftables_cmd add rule inet filter output ip6 daddr "$GATEWAY_IP6_HARDCODED" udp dport 53 counter accept if test -f /usr/share/qubes/marker-vm; then qubes_dns fi @@ -365,19 +395,17 @@ nft_output() { $nftables_cmd add rule inet filter output skuid "$allowed_user_list_item" ip daddr 127.0.0.1 counter accept $nftables_cmd add rule inet filter output skuid "$allowed_user_list_item" ip6 daddr ::1 counter accept $nftables_cmd add rule inet filter output skuid "$allowed_user_list_item" ip daddr "$GATEWAY_IP" counter accept - $nftables_cmd add rule inet filter output skuid "$allowed_user_list_item" ip6 daddr "::ffff:$GATEWAY_IP" counter accept + $nftables_cmd add rule inet filter output skuid "$allowed_user_list_item" ip6 daddr "$GATEWAY_IP6" counter accept $nftables_cmd add rule inet filter output skuid "$allowed_user_list_item" ip daddr "$GATEWAY_IP_HARDCODED" counter accept - $nftables_cmd add rule inet filter output skuid "$allowed_user_list_item" ip6 daddr "::ffff:$GATEWAY_IP_HARDCODED" counter accept - ## TODO: IPv6 test + $nftables_cmd add rule inet filter output skuid "$allowed_user_list_item" ip6 daddr "$GATEWAY_IP6_HARDCODED" counter accept done $nftables_cmd add rule inet filter output ip daddr 127.0.0.1 tcp dport "$CONTROL_PORT_FILTER_PROXY_PORT" counter accept $nftables_cmd add rule inet filter output ip6 daddr ::1 tcp dport "$CONTROL_PORT_FILTER_PROXY_PORT" counter accept $nftables_cmd add rule inet filter output ip daddr "$GATEWAY_IP" tcp dport "$CONTROL_PORT_FILTER_PROXY_PORT" counter accept - $nftables_cmd add rule inet filter output ip6 daddr "::ffff:$GATEWAY_IP" tcp dport "$CONTROL_PORT_FILTER_PROXY_PORT" counter accept + $nftables_cmd add rule inet filter output ip6 daddr "$GATEWAY_IP6" tcp dport "$CONTROL_PORT_FILTER_PROXY_PORT" counter accept $nftables_cmd add rule inet filter output ip daddr "$GATEWAY_IP_HARDCODED" tcp dport "$CONTROL_PORT_FILTER_PROXY_PORT" counter accept - $nftables_cmd add rule inet filter output ip6 daddr "::ffff:$GATEWAY_IP_HARDCODED" tcp dport "$CONTROL_PORT_FILTER_PROXY_PORT" counter accept - ## TODO: IPv6 test + $nftables_cmd add rule inet filter output ip6 daddr "$GATEWAY_IP6_HARDCODED" tcp dport "$CONTROL_PORT_FILTER_PROXY_PORT" counter accept else if [ -z "$outgoing_allow_ip_list" ]; then true "firewall_mode is $firewall_mode and outgoing_allow_ip_list is empty, therefore allowing all outgoing traffic." @@ -408,10 +436,13 @@ EXTERNAL_OPEN_PORTS EXTERNAL_UDP_OPEN_PORTS EXT_IF GATEWAY_IP +GATEWAY_IP6 GATEWAY_IP_HARDCODED +GATEWAY_IP6_HARDCODED INTERNAL_OPEN_PORTS INT_IF LOCAL_NET +LOCAL_NET_IP6 NOTUNNEL_USER NO_REJECT_INVALID_OUTGOING_PACKAGES SDWDATE_USER diff --git a/usr/libexec/whonix-firewall/firewall-common b/usr/libexec/whonix-firewall/firewall-common index 29b57b3..d20c386 100755 --- a/usr/libexec/whonix-firewall/firewall-common +++ b/usr/libexec/whonix-firewall/firewall-common @@ -353,13 +353,15 @@ nft_input_rules_gateway() { $nftables_cmd add rule inet filter input icmp type destination-unreachable icmp code frag-needed ct state related counter accept fi + # Accept ICMPv6 neighbor discovery. + $nftables_cmd add rule inet filter input icmpv6 type "{ nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect }" counter accept + ## Drop all incoming ICMP traffic by default. ## All incoming connections are dropped by default anyway, but should a user ## allow incoming ports (such as for incoming SSH or FlashProxy), ICMP should ## still be dropped to filter for example ICMP time stamp requests. if [ ! "$GATEWAY_ALLOW_INCOMING_ICMP" = "1" ]; then $nftables_cmd add rule inet filter input ip protocol icmp counter drop - ## TODO: IPv6 test $nftables_cmd add rule inet filter input ip6 nexthdr icmpv6 counter drop fi