Whonix with firewall rules?
158 views
Skip to first unread message
Axon
Mar 13, 2016, 3:25:14 AM3/13/16
to qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Is it possible to add a FirewallVM between a Whonix-Workstation and a
Whonix-Gateway, so that only certain types of traffic are allowed
(just like with a regular, clearnet VM)? For example:
whonix-ws-email -> sys-fw-whonix -> whonix-gw -> sys-firewall -> sys-net
Then set up firewall rules allowing only pop3s traffic to
whonix-ws-email. The result should be that whonix-ws-email can only
download mail over pop3s; no other traffic gets through.
I tried testing this but couldn't get it to work. Either all traffic
gets through, or nothing gets through.
- ---------------------------------------------------------------------
Related point:
Changing the NetVM of a TemplateVM from sys-firewall (clearnet) to a
Whonix-Gateway means that traffic is no longer restricted to the
Updates Proxy. *All* traffic is allowed. This seems kind of dangerous,
but the benefit of Torified updates probably outweighs this drawback
for (careful) users.
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJW5RW2AAoJEJh4Btx1RPV89HEQAM6THDfgfkntK0PfYuLr3LWg
NxLIlTA47Lwvlw5QD1yoOmxA5mrN9DtijOv19TPhAkP+DcdvGUcomLAxy/1FucfV
Ud9bF9klY3hF1C076rRaXfn7r+/SeYTCz+8yEc5OyMScAjJmJVlfzQD7D3YIbzGN
X3/f+7XxiwooLmrDqeYVUrvl8hUt7BH69AEMvabgyXYLc/05MLR0ZveGubZUNg/y
ZdawwEtFqEfLPCXJ9OWf2dpaJE3NyuNyTqW828kGZ724cLwEZWB3ixiCpeZX5f2h
JDHoDEPBR/gaEHTxX9M3QraoYZyOn0Gi8+sQILisLBsdzNxa1UCEgZjxL9YmdQ6O
HO0ezmWDA4SNz06HQP59ghqEEo4s3xMBhf8VNSakCI9keoFxoI0Jywmx6DP8gw9L
nXxU/kokd5TnS1wKcPU4VuoQU88BqybWRVM06Xefk2hewMg4Ax0OdgVnnuEPduBX
Ct/BgdAZJIO39zMuxZ+f01OshItFLuumpd+7z9fxovIx3ep7QcyA3C2I6U9HGOVL
9Bv+9zmvsl5g8104f/P9Jm74/yhc7NKc+Ls02AJ7b7Q8IIkjx3z93r+kR64wsG8H
J6Ua6BeDm5Afez5/3BQo05F6+Mmz85eoHsflLMs+IbzYVv6L4Z1yd0pQBctJmkeU
1evzYdEHlsOp4tytrogv
=Z0Rv
-----END PGP SIGNATURE-----
Hash: SHA512
Is it possible to add a FirewallVM between a Whonix-Workstation and a
Whonix-Gateway, so that only certain types of traffic are allowed
(just like with a regular, clearnet VM)? For example:
whonix-ws-email -> sys-fw-whonix -> whonix-gw -> sys-firewall -> sys-net
Then set up firewall rules allowing only pop3s traffic to
whonix-ws-email. The result should be that whonix-ws-email can only
download mail over pop3s; no other traffic gets through.
I tried testing this but couldn't get it to work. Either all traffic
gets through, or nothing gets through.
- ---------------------------------------------------------------------
Related point:
Changing the NetVM of a TemplateVM from sys-firewall (clearnet) to a
Whonix-Gateway means that traffic is no longer restricted to the
Updates Proxy. *All* traffic is allowed. This seems kind of dangerous,
but the benefit of Torified updates probably outweighs this drawback
for (careful) users.
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJW5RW2AAoJEJh4Btx1RPV89HEQAM6THDfgfkntK0PfYuLr3LWg
NxLIlTA47Lwvlw5QD1yoOmxA5mrN9DtijOv19TPhAkP+DcdvGUcomLAxy/1FucfV
Ud9bF9klY3hF1C076rRaXfn7r+/SeYTCz+8yEc5OyMScAjJmJVlfzQD7D3YIbzGN
X3/f+7XxiwooLmrDqeYVUrvl8hUt7BH69AEMvabgyXYLc/05MLR0ZveGubZUNg/y
ZdawwEtFqEfLPCXJ9OWf2dpaJE3NyuNyTqW828kGZ724cLwEZWB3ixiCpeZX5f2h
JDHoDEPBR/gaEHTxX9M3QraoYZyOn0Gi8+sQILisLBsdzNxa1UCEgZjxL9YmdQ6O
HO0ezmWDA4SNz06HQP59ghqEEo4s3xMBhf8VNSakCI9keoFxoI0Jywmx6DP8gw9L
nXxU/kokd5TnS1wKcPU4VuoQU88BqybWRVM06Xefk2hewMg4Ax0OdgVnnuEPduBX
Ct/BgdAZJIO39zMuxZ+f01OshItFLuumpd+7z9fxovIx3ep7QcyA3C2I6U9HGOVL
9Bv+9zmvsl5g8104f/P9Jm74/yhc7NKc+Ls02AJ7b7Q8IIkjx3z93r+kR64wsG8H
J6Ua6BeDm5Afez5/3BQo05F6+Mmz85eoHsflLMs+IbzYVv6L4Z1yd0pQBctJmkeU
1evzYdEHlsOp4tytrogv
=Z0Rv
-----END PGP SIGNATURE-----
entr0py
Mar 14, 2016, 1:25:42 PM3/14/16
to Axon, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Axon:
Hash: SHA512
> Is it possible to add a FirewallVM between a Whonix-Workstation
> and a Whonix-Gateway, so that only certain types of traffic are
> allowed (just like with a regular, clearnet VM)? For example:
>
> whonix-ws-email -> sys-fw-whonix -> whonix-gw -> sys-firewall ->
> sys-net
>
> Then set up firewall rules allowing only pop3s traffic to
> whonix-ws-email. The result should be that whonix-ws-email can only
> download mail over pop3s; no other traffic gets through.
>
> I tried testing this but couldn't get it to work. Either all
> traffic gets through, or nothing gets through.
>
> and a Whonix-Gateway, so that only certain types of traffic are
> allowed (just like with a regular, clearnet VM)? For example:
>
> whonix-ws-email -> sys-fw-whonix -> whonix-gw -> sys-firewall ->
> sys-net
>
> Then set up firewall rules allowing only pop3s traffic to
> whonix-ws-email. The result should be that whonix-ws-email can only
> download mail over pop3s; no other traffic gets through.
>
> I tried testing this but couldn't get it to work. Either all
> traffic gets through, or nothing gets through.
>
> ---------------------------------------------------------------------
>
>
>
Related point:
>
> Changing the NetVM of a TemplateVM from sys-firewall (clearnet) to
> a Whonix-Gateway means that traffic is no longer restricted to the
> Updates Proxy. *All* traffic is allowed. This seems kind of
> dangerous, but the benefit of Torified updates probably outweighs
> this drawback for (careful) users.
>
I'd be curious to know this as well. Would you mind posting this to
>
>
>
Related point:
>
> Changing the NetVM of a TemplateVM from sys-firewall (clearnet) to
> a Whonix-Gateway means that traffic is no longer restricted to the
> Updates Proxy. *All* traffic is allowed. This seems kind of
> dangerous, but the benefit of Torified updates probably outweighs
> this drawback for (careful) users.
>
the Whonix forums? https://forums.whonix.org/c/qubes
Patrick is very responsive.
Whonix Workstation has an additional firewall that is disabled by
default. Using it with Qubes is still undocumented, however.
https://www.whonix.org/wiki/Whonix-Workstation_Firewall
-----BEGIN PGP SIGNATURE-----
iQJ8BAEBCgBmBQJW5vP3XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ1RDJGRDgwRDQ5ODM1RjM4RTk0NTE4Q0M4
OTM2QzcyM0Y2MjMzOEM0AAoJEIk2xyP2IzjEhHgQALMsRWd3G5LsL29v1Rty7C1n
WQtX1LLVUs7Xb1XyBPxuXFz3jlKGRfN2myFvlJKowpYO/RiT8/EFXcSwKkEyHYJT
/L0HBEl4apRkS7wukjQRdwJeEksn88oJaLFBIsL5UOPs9CdwDc8DdLEmTFMdVK2a
kzklMVsiDdtpM5YqG9XxuSaJz5lsK1Z4wlyNsfEvAtjeGcjCQCoK65SzaVDDOlKr
giowqhmQ2xClEFl4659JGSPHl97E5+IV7027hInM6KxeFHIGGW7nAQ2svxKHZUkS
savB1MaQhcE2/jZyKQd1o/5mCb/LYoEZgmpeFyUdnEtaUU9wj/KrYOzO9ZCT2ByT
ViHSzUMdW3DF6+5G5KpdEwLWcMb8MTBuLC7/NfmlZu10VZe+KJ3cu+iYnVM5ZPNQ
P1jEHtfKmCw/CZioou4mS4E4bM/tBnATMuM1JQMFBJk+k2m6/RkVw0j6lReVI4Tf
j6FX6pMEDp4iSbL4N/OmcUtR1xj8WeK+4v+t8OePbo6zu75SjO4IVySgFJO7bAJh
G/5CUVS8UTockOu0PhERBs6VCu/PDf2EfYWOc48QzLRaasmhO70AuiYwrRwVV5lE
HLZ4zVJGNujyy8mxUrpvgO4rsVWQBo2o1lnUnewv/JcSc3F7Eozc8c7kS3iUVkjc
BdXgl9jlUIEfMiuGfj9w
=qN2x
-----END PGP SIGNATURE-----
Andrew
Mar 14, 2016, 2:03:41 PM3/14/16
to qubes...@googlegroups.com
Axon:
from different AppVMs. This might not be a problem if all applications
support SOCKS proxies, though.
Anyway have you tried setting firewall rules for the AppVM without using
an intermediary 'sys-fw-whonix'? IIUC, and maybe I don't, it should set
iptables INPUT rules for that AppVM on 'whonix-gw'. That's not ideal,
but seems like the best compromise.
Andrew
> Is it possible to add a FirewallVM between a Whonix-Workstation and a
> Whonix-Gateway, so that only certain types of traffic are allowed
> (just like with a regular, clearnet VM)? For example:
>
> whonix-ws-email -> sys-fw-whonix -> whonix-gw -> sys-firewall -> sys-net
>
> Then set up firewall rules allowing only pop3s traffic to
> whonix-ws-email. The result should be that whonix-ws-email can only
> download mail over pop3s; no other traffic gets through.
>
> I tried testing this but couldn't get it to work. Either all traffic
> gets through, or nothing gets through.
>
> Whonix-Gateway, so that only certain types of traffic are allowed
> (just like with a regular, clearnet VM)? For example:
>
> whonix-ws-email -> sys-fw-whonix -> whonix-gw -> sys-firewall -> sys-net
>
> Then set up firewall rules allowing only pop3s traffic to
> whonix-ws-email. The result should be that whonix-ws-email can only
> download mail over pop3s; no other traffic gets through.
>
> I tried testing this but couldn't get it to work. Either all traffic
> gets through, or nothing gets through.
>
> ---------------------------------------------------------------------
>
> Related point:
>
> Changing the NetVM of a TemplateVM from sys-firewall (clearnet) to a
> Whonix-Gateway means that traffic is no longer restricted to the
> Updates Proxy. *All* traffic is allowed. This seems kind of dangerous,
> but the benefit of Torified updates probably outweighs this drawback
> for (careful) users.
>
One reason not to do this is that it breaks stream isolation for traffic
>
> Related point:
>
> Changing the NetVM of a TemplateVM from sys-firewall (clearnet) to a
> Whonix-Gateway means that traffic is no longer restricted to the
> Updates Proxy. *All* traffic is allowed. This seems kind of dangerous,
> but the benefit of Torified updates probably outweighs this drawback
> for (careful) users.
>
from different AppVMs. This might not be a problem if all applications
support SOCKS proxies, though.
Anyway have you tried setting firewall rules for the AppVM without using
an intermediary 'sys-fw-whonix'? IIUC, and maybe I don't, it should set
iptables INPUT rules for that AppVM on 'whonix-gw'. That's not ideal,
but seems like the best compromise.
Andrew
entr0py
Mar 14, 2016, 2:55:42 PM3/14/16
to Andrew, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hash: SHA512
On 03/14/2016 06:03 PM, Andrew wrote:
> Axon:
>> Is it possible to add a FirewallVM between a Whonix-Workstation
>> and a Whonix-Gateway, so that only certain types of traffic are
>> allowed (just like with a regular, clearnet VM)? For example:
>>
> Axon:
>> Is it possible to add a FirewallVM between a Whonix-Workstation
>> and a Whonix-Gateway, so that only certain types of traffic are
>> allowed (just like with a regular, clearnet VM)? For example:
>>
> One reason not to do this is that it breaks stream isolation for
> traffic from different AppVMs. This might not be a problem if all
> applications support SOCKS proxies, though.
>
I have very limited understanding of iptables. Is it not possible for
> traffic from different AppVMs. This might not be a problem if all
> applications support SOCKS proxies, though.
>
FirewallVM to forward the source IP's to the Gateway? Regardless,
stream isolation per port would still be in effect but separate source
IP would be required to isolate by appvm. Also, I don't see the
significance of application support of SOCKS - non-socks apps will
direct to 9040 TransPort and will be isolated by appvm as long as
source IP is different.
-----BEGIN PGP SIGNATURE-----
iQJ8BAEBCgBmBQJW5wkkXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ1RDJGRDgwRDQ5ODM1RjM4RTk0NTE4Q0M4
OTM2QzcyM0Y2MjMzOEM0AAoJEIk2xyP2IzjEt2wP/iWyb5qRqt+5vmKApV1hxUj5
7R1mSFKlOAYYnDE1n5dAtY5gzVe5E58Fs+QylrykKDgyAXf0fWiqRSDsCCwMH0/f
Fix4yrhvq2lwjgAuH0uWsst3y1zBFggVbEF1m53ZhFEZl0J2jEZPPEFsoElE0dnC
nf1fvuiVE2Vl74/oTHLDj3Snnf/U3ZyvTH9TJQ8jjMN2a9LAhLttMjy7hF9S9QGf
2uYPdlxM34zCI1FiXHL6MPC4dX6B+Jr0Ug1aMglM39IGWHWUAeFQx0qJPPNiFzCm
uoMBk9XZFcgjleRKb3Z9CFjfb0RL6i5HTLSDv+LoD5iKw10BbSU3MfBy1O85siei
bggTGDOUD3fuB0MzEJpI3tM2WiX1Yhxgebxzc9UsLATzthMbB9QK0rhfzBFBCuSz
fCoOk6QNR347+Zszt1aOnWwDQa3IEqIH0AZcntpc2XU5sEUVA3TiXD9wk8t0DsuO
2TylSBSM0Xyg59/VIonst1tL7xiDCiKkV8aXV0HvVAmiM6Pzxyg3oubi7M6p7Ih5
8B6L/MspzZL6mZg2Fq9OwNbaLE8n0dvUuo7HAqL1YKRhgA/Jg3SQQxhXixmoxsOi
7Meg9Qun+inL/oXeTpTZDqGeg9R6nSvO2Dhjif5U+9OZlRpDzEJiquj84b0vUBnI
kmRM2ASYVeol76dFtL8A
=LBI5
-----END PGP SIGNATURE-----
Axon
Mar 16, 2016, 8:09:06 AM3/16/16
to Andrew, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Andrew:
Hash: SHA512
> Axon:
>> Is it possible to add a FirewallVM between a Whonix-Workstation
>> and a Whonix-Gateway, so that only certain types of traffic are
>> allowed (just like with a regular, clearnet VM)? For example:
>>
>> whonix-ws-email -> sys-fw-whonix -> whonix-gw -> sys-firewall ->
>> sys-net
>>
>> Then set up firewall rules allowing only pop3s traffic to
>> whonix-ws-email. The result should be that whonix-ws-email can
>> only download mail over pop3s; no other traffic gets through.
>>
>> I tried testing this but couldn't get it to work. Either all
>> traffic gets through, or nothing gets through.
>>
>> ---------------------------------------------------------------------
>>
>>
>>
Related point:
>>
>> Changing the NetVM of a TemplateVM from sys-firewall (clearnet)
>> to a Whonix-Gateway means that traffic is no longer restricted to
>> the Updates Proxy. *All* traffic is allowed. This seems kind of
>> dangerous, but the benefit of Torified updates probably outweighs
>> this drawback for (careful) users.
>>
>
> One reason not to do this is that it breaks stream isolation for
> traffic from different AppVMs. This might not be a problem if all
> applications support SOCKS proxies, though.
>
Really? I would find that surprising, since the old TorVM allowed
>> Is it possible to add a FirewallVM between a Whonix-Workstation
>> and a Whonix-Gateway, so that only certain types of traffic are
>> allowed (just like with a regular, clearnet VM)? For example:
>>
>> whonix-ws-email -> sys-fw-whonix -> whonix-gw -> sys-firewall ->
>> sys-net
>>
>> Then set up firewall rules allowing only pop3s traffic to
>> whonix-ws-email. The result should be that whonix-ws-email can
>> only download mail over pop3s; no other traffic gets through.
>>
>> I tried testing this but couldn't get it to work. Either all
>> traffic gets through, or nothing gets through.
>>
>> ---------------------------------------------------------------------
>>
>>
>>
Related point:
>>
>> Changing the NetVM of a TemplateVM from sys-firewall (clearnet)
>> to a Whonix-Gateway means that traffic is no longer restricted to
>> the Updates Proxy. *All* traffic is allowed. This seems kind of
>> dangerous, but the benefit of Torified updates probably outweighs
>> this drawback for (careful) users.
>>
>
> One reason not to do this is that it breaks stream isolation for
> traffic from different AppVMs. This might not be a problem if all
> applications support SOCKS proxies, though.
>
putting a FirewallVM between the AnonVM and the TorVM and enforcing
firewall rules without breaking stream isolation for traffic from
different AnonVMs.
> Anyway have you tried setting firewall rules for the AppVM without
> using an intermediary 'sys-fw-whonix'?
> IIUC, and maybe I don't, it should set iptables INPUT rules for
> that AppVM on 'whonix-gw'. That's not ideal, but seems like the
> best compromise.
>
> Andrew
>
iQIcBAEBCgAGBQJW6UzWAAoJEJh4Btx1RPV8lL0P/14TPD+uwPC5LAUR/fmZOlgm
3wqhKygWK7PFH3YiIpA4ymABDMvahkw0APggf5d05DFrWqkoLZisgm0HQ4yaT2ni
Cv16y98v6mJ+kHSVB0mQqy14xajXcyySW7Kt3s25wMLl5b3VhXFcsDVP8W7AH1bI
FHVXLjC4I220T8j1de8IfruMTHk5nbPSRT4tdQLfRJeb2hnMkPHgbXMobC659cZX
UyYCGGqSt04KgxWUhuS3SzyBhADQSBL7uxD+oP1NyPCU/9DU2vi5n9RZ7d6v7AvJ
vMQ3XLbVAiWgwA+y/BjYsH+UAuvq6WcvJ/344X3ST1tPtsa7kycsf9s4t2afMntI
liWaOz8HuH2GLex37pRLD8cAQI6Rsx3aM/y2RO95X1G401wkT4bYx9Jm1vPy53tu
X26JrHMyuwFJk8Nz93YHzSP8OSIIoBT9tvdU2Y7NnXcawD1bQ2MNo2KksRe27A8j
bzuih06CxjHGfb7xd1EWUlnQZAKHNL8L0mhJI+pZKYSX7OLGjedWphAwxglgGTNV
9NgpoMofZmNeVTG5W5OCs4JgclALFaXcspI1G91xo7Ejn/k6AT2gFRSzyxXeS/qN
Q0RNCl13BEW/MUftB4reoTQJ8TowQ92Nmcr5ht7Mn51ErKg32aGfs7OGjue2W18u
q2iwz9kKfngXC70x+4+d
=/QTN
-----END PGP SIGNATURE-----
Patrick Schleizer
Mar 17, 2016, 12:45:08 PM3/17/16
to qubes...@googlegroups.com
Axon:
(whonix-ws-email -> sys-fw-whonix -> whonix-gw -> sys-firewall -> sys-net)
https://forums.whonix.org/t/how-to-add-a-proxyvm-between-anon-whonix-and-sys-whonix-whonix-ws-email-sys-fw-whonix-whonix-gw-sys-firewall-sys-net
> Related point:
> Changing the NetVM of a TemplateVM from sys-firewall (clearnet) to a
Whonix-Gateway means that traffic is no longer restricted to the Updates
Proxy. *All* traffic is allowed. This seems kind of dangerous,
but the benefit of Torified updates probably outweighs this drawback
for (careful) users.
sys-whonix does not yet function was Qubes FirewallVM
https://forums.whonix.org/t/sys-whonix-does-not-yet-function-was-qubes-firewallvm
> Is it possible to add a FirewallVM between a Whonix-Workstation and a
> Whonix-Gateway, so that only certain types of traffic are allowed
> (just like with a regular, clearnet VM)? For example:
>
> whonix-ws-email -> sys-fw-whonix -> whonix-gw -> sys-firewall -> sys-net
How to add a ProxyVM between anon-whonix and sys-whonix?
> Whonix-Gateway, so that only certain types of traffic are allowed
> (just like with a regular, clearnet VM)? For example:
>
> whonix-ws-email -> sys-fw-whonix -> whonix-gw -> sys-firewall -> sys-net
(whonix-ws-email -> sys-fw-whonix -> whonix-gw -> sys-firewall -> sys-net)
https://forums.whonix.org/t/how-to-add-a-proxyvm-between-anon-whonix-and-sys-whonix-whonix-ws-email-sys-fw-whonix-whonix-gw-sys-firewall-sys-net
> Related point:
> Changing the NetVM of a TemplateVM from sys-firewall (clearnet) to a
Whonix-Gateway means that traffic is no longer restricted to the Updates
Proxy. *All* traffic is allowed. This seems kind of dangerous,
but the benefit of Torified updates probably outweighs this drawback
for (careful) users.
https://forums.whonix.org/t/sys-whonix-does-not-yet-function-was-qubes-firewallvm
Axon
Mar 19, 2016, 2:54:39 PM3/19/16
to entr0py, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
entr0py:
Hash: SHA512
> Axon:
>> Is it possible to add a FirewallVM between a Whonix-Workstation
>> and a Whonix-Gateway, so that only certain types of traffic are
>> allowed (just like with a regular, clearnet VM)? For example:
>
>> whonix-ws-email -> sys-fw-whonix -> whonix-gw -> sys-firewall ->
>> sys-net
>
>> Then set up firewall rules allowing only pop3s traffic to
>> whonix-ws-email. The result should be that whonix-ws-email can
>> only download mail over pop3s; no other traffic gets through.
>
>> I tried testing this but couldn't get it to work. Either all
>> traffic gets through, or nothing gets through.
>
>> ---------------------------------------------------------------------
>
>>
>
>
> Related point:
>
>> Changing the NetVM of a TemplateVM from sys-firewall (clearnet)
>> to a Whonix-Gateway means that traffic is no longer restricted to
>> the Updates Proxy. *All* traffic is allowed. This seems kind of
>> dangerous, but the benefit of Torified updates probably outweighs
>> this drawback for (careful) users.
>
>
> I'd be curious to know this as well. Would you mind posting this
> to the Whonix forums? https://forums.whonix.org/c/qubes Patrick is
> very responsive.
>
I've posted the question there. Thanks for the tip!
>> Is it possible to add a FirewallVM between a Whonix-Workstation
>> and a Whonix-Gateway, so that only certain types of traffic are
>> allowed (just like with a regular, clearnet VM)? For example:
>
>> whonix-ws-email -> sys-fw-whonix -> whonix-gw -> sys-firewall ->
>> sys-net
>
>> Then set up firewall rules allowing only pop3s traffic to
>> whonix-ws-email. The result should be that whonix-ws-email can
>> only download mail over pop3s; no other traffic gets through.
>
>> I tried testing this but couldn't get it to work. Either all
>> traffic gets through, or nothing gets through.
>
>> ---------------------------------------------------------------------
>
>>
>
>
> Related point:
>
>> Changing the NetVM of a TemplateVM from sys-firewall (clearnet)
>> to a Whonix-Gateway means that traffic is no longer restricted to
>> the Updates Proxy. *All* traffic is allowed. This seems kind of
>> dangerous, but the benefit of Torified updates probably outweighs
>> this drawback for (careful) users.
>
>
> I'd be curious to know this as well. Would you mind posting this
> to the Whonix forums? https://forums.whonix.org/c/qubes Patrick is
> very responsive.
>
> Whonix Workstation has an additional firewall that is disabled by
> default. Using it with Qubes is still undocumented, however.
> https://www.whonix.org/wiki/Whonix-Workstation_Firewall
>
>
-----BEGIN PGP SIGNATURE-----
Zt3YCfGutJabivD3QYkbGZ2J5HdBP4HimEbDSIWKAgFAJCC5HA5AKFr4fxeVqBhy
8UErmhbs/3C7RdwRHivQksKEhPbHHlF4kCqGgUdcoMNJaYKAiBBrX1bLtMIgVmw8
iT1FsDQcc1EcQ2fLekM+P+OlaEDXtaOPAQXVjP4dYb2R0Tto9ob06M56tBrMsgTu
ESxOCPtEM/PBV17mWyj3M1ZSaRRtQwZ6e0Xg6t5T1cmXJgo2T16ItaknkDZMqRWe
vHFFCiF5mSdUTXJ55U5kvFSCdAHq8wUje3Sdh20ehAu843GwOUHuH7vYK36jhaki
Gd9kH50vyTU2bfGHmBLgAI7tUU7Gk21+V1FbP2KqYhCIaRTIT1UG1/05P1IdOL1O
iQ/J7mj+ChACkxbw2Zp4a/v4rnRnOoM0LwUINMowqX8bOMXc9F9AKcjYhlPLn7DM
7kem1OBdOESmHpRl+wRqSCOaAsALOqeOIp9kRU0vTEwjlSaSpkNtxw5E0ao+1E+U
BPeQC5GpQHlrIzh9sjfNK9cGdVmIiFv2kAUZgl2ml0UTm9tMvpMDHNATPoyQT3ba
JmuaRFLvVTp6iAxrC5/B44t0/Twm6bRNhJjj0I1DvN3s935cOeC72nKEQiC70D49
eW3bzl8slLwwcaxJo6nD
=B+Kh
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages