How to block all non tor traffic
hsfcyxr hsfcyxr
There’s a second computer to access the Clinet.
How do I completely block traffic bypassing sys-whonix? I don’t know much English, so I couldn’t find it myself, I read qubes and whonix documentation.
(I marked dom0 updates via tor during installation, prescribed “sudo systemctl restart qubes-whonix-torified-updates-proxy-check”, installed everything in Qube Manager except sys-firewall,
sys-whonix, sys-net and Tamplate VM on sys-whonix,
Qubes global settings -> Dom0 UpdateVM -> sys-whonix
Qubes global settings -> ClockV -> sys-whonix
Qubes global settings -> Default netVM -> sys-whonix
Qubes global settings -> Default template -> fedora-30
Qubes global settings -> Default DisposableVM Template -> fedora-30-dvm
)
Maybe there are some guides to setting qubes to anonymity so that the browser can’t recognize my time zone (so that it is different on different AppVMs). And how to add a different language to
the keyboard, again, so that it would be visible only on the AppVMs I need.
img: qubes-os[.]org/attachment/wiki/posts/admin-api.png
I will formulate a more specific question, as in the diagram above, to block all connections to sys-net except sys-whonix->sys-firewall->sys-net.
------------------------------------------
This mail was sent by Confidesk AG`s secure mail service. Check it on http://www.confidesk.com
unman
> There???s a second computer to access the Clinet.
> How do I completely block traffic bypassing sys-whonix? I don???t know much English, so I couldn???t find it myself, I read qubes and whonix documentation.
> (I marked dom0 updates via tor during installation, prescribed ???sudo systemctl restart qubes-whonix-torified-updates-proxy-check???, installed everything in Qube Manager except sys-firewall, sys-whonix, sys-net and Tamplate VM on sys-whonix,
> Qubes global settings -> Dom0 UpdateVM -> sys-whonix
> Qubes global settings -> ClockV -> sys-whonix
> Qubes global settings -> Default netVM -> sys-whonix
> Qubes global settings -> Default template -> fedora-30
> Qubes global settings -> Default DisposableVM Template -> fedora-30-dvm
> )
> Maybe there are some guides to setting qubes to anonymity so that the browser can???t recognize my time zone (so that it is different on different AppVMs). And how to add a different language to the keyboard, again, so that it would be visible only on the AppVMs I need. img: qubes-os[.]org/attachment/wiki/posts/admin-api.png
> I will formulate a more specific question, as in the diagram above, to block all connections to sys-net except sys-whonix->sys-firewall->sys-net.
>
I cant help with Whonix issues, but you should block outgoing traffic
originating from sys-net and sys-firewall.
Restrict traffic which is forwarded through sys-firewall to anything
originating from the vif and MAC of sys-whonix.
Then you're trusting Whonix to deliver what it promises.
Strange that you are using standard templates for default and
DisposableVM, when you are concerned with anonymity. Have you customised
that fedora-30 template? If not, you may be shooting yourself in the
foot.
Personally I don't use clock updates at all, and set time to UTC across
the board.
You can install language options in the templates and trigger changes on
an individual qube, which allows you to access different layout per
qube. If I understand your post, that's what you want? Check the
"keyboard " option in Qube Manager.
unman
Chris Laprise
> There’s a second computer to access the Clinet.
> How do I completely block traffic bypassing sys-whonix? I don’t know
> much English, so I couldn’t find it myself, I read qubes and whonix
> documentation.
> (I marked dom0 updates via tor during installation, prescribed “sudo
> systemctl restart qubes-whonix-torified-updates-proxy-check”, installed
> everything in Qube Manager except sys-firewall, sys-whonix, sys-net and
> Tamplate VM on sys-whonix,
> Qubes global settings -> Dom0 UpdateVM -> sys-whonix
> Qubes global settings -> ClockV -> sys-whonix
> Qubes global settings -> Default netVM -> sys-whonix
> Qubes global settings -> Default template -> fedora-30
> Qubes global settings -> Default DisposableVM Template -> fedora-30-dvm
> )
> Maybe there are some guides to setting qubes to anonymity so that the
> browser can’t recognize my time zone (so that it is different on
> different AppVMs). And how to add a different language to the keyboard,
> again, so that it would be visible only on the AppVMs I need.
>
> img: qubes-os[.]org/attachment/wiki/posts/admin-api.png
> block all connections to sys-net except sys-whonix->sys-firewall->sys-net.*
Its best to ask about Whonix specifics on the whonix.org forums.
However, I'm pretty sure that sys-whonix is already configured not to
allow any non-Tor traffic; That is the point of having a Tor VM in the
first place, to enforce network containment as strongly as possible.
--
Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
hsfcyxr hsfcyxr
This is understandable, but traffic connected to sys-firewall and sys-net bypass tor. On the whonix forum I was told that this is impossible) If I translated his answer correctly.
https://forums.whonix.org/t/how-to-block-all-non-tor-traffic/9308
Basically, I figured out that sys-net needs to cut off all traffic that doesn't come from sys-firewall, but I can't figure out what to do with sys-firewall yet.
On 2020-04-11, tas...@posteo.net wrote:
hsfcyxr hsfcyxr
Although it would seem to be a sniffer, I am embarrassed that the sniffer standing sys-firewall shows that the traffic comes from sys-firewall (not sys-whonix). And the sniffer from sys-net doesn't catch the ping connection to the site.
In general, I'll deal with iptabals with if there are any more questions I write.