Email-vm via sys-whonix but with fw rules

i’m trying to let my email-vm just connect to the mail server, by blocking the rest of the outgoing traffic. The problem is, that the email-vm goes through sys-whonix. So if i make some fw rules on the email-vm it does not effect the connection. I think, because the sys-whonix.

How can i realize that?

Best regards

yes, Whonix doesn’t enforce Qubes firewall rules.
Add a firewall between the email-vm and sys-whonix

ah, ok. Will just try it, thanks!

wonderful, everything works… just killed thunderbirds http connection, i think for internal website.

Love Qubes! This flexibility ist really great!

1 Like

Yes, and it’s worth understanding why. Remember that Tor works by wrapping your traffic in layers of encryption such that each node in your Tor circuit can decrypt only its own layer. Normally, sys-firewall enforces firewall rules. However, in this case, sys-firewall cannot read your traffic in order to enforce firewall rules, because the traffic has already been encrypted by sys-whonix before it reaches sys-firewall. This is why unman’s solution works: Because you’re adding a firewall VM before sys-whonix, before the traffic gets encrypted.

Except that in every other case, rules are enforced on a qube’s netvm,
whereas sys-whonix just ignores them.
And if you insert a firewallVM to enforce the rules then all traffic
arriving at sys-whonix will appear to come from the same IP address - I
have no idea what effect this will have on Tor circuits.

thanks! So the problem ist, that the firewall can not read encrypted traffic. Make sense.

@unman: i didn’t really understand what you mean… but i think, it’s too specific

by the way, is it possible that the 80 connection of thunderbird is for the DKIM check? Just opened them, but no efect… can not connect to the DKIM check. But wireshark shows nothing blocked, but the 80 ports. hmmm… is it also something about tor?

It may be too specific, but it does have the benefit of being right.

If you have THIS:
sys-net - sys-firewall - firewall2 - qube

Then the rules for “qube” are enforced on firewall2, its netvm.
Firewall rules are processed on the immediate netvm.

In this case, sys-firewall doesn’t see any traffic from qube. It only
sees traffic that appears to come from firewall2.

sys-whonix breaks this model, because it doesn’t process firewall rules
at all.
So in this case:
sys-net - sys-firewall - sys-whonix - qube
NO firewall rules are implemented. (They are not written on
sys-firewall but cant be processed because traffic is encrypted - they
are not written at all.)

If you insert a new firewall:
sys-net - sys-firewall - sys-whonix - firewall2 - qube
Then you do get benefit of a firewall, but sys-whonix only sees
traffic that seems to originate from firewall2, which may do strange
(and unwanted) things to Tor circuits.

ah, ok… now i understand it a little bit deeper, thanks!
Although i have no idea about possible problems with tor circuits in that case.

Here’s an example:
You have 2 qubes, and you ssh into one server.
If you have both connected to sys-whonix then stream isolation
will ensure you use different circuits, (Isolate Client Address is on
by default).
If you attach both to a firewall, then at sys-whonix the ssh traffic
appears to come from the IP of the firewall, so will not trigger stream
isolation, and both streams will use the same circuit. At the server
both logins will appear to come from the same IP address. This may not
be what you want.

This is just an example - I don’t know what steps Whonix takes to
mitigate this, (if any), and I find the documentation unclear, but it is a
potential issue.

Thanks for the information. Two questions:

  • Is this also the case with VPN qubes? Do they always enforce firewall rules correctly?

  • Is sys-whonix ignoring them part a design choice (i.e., intended to keep firewall rule enforcement and Torification compartmentalized in separate VMs), or do you think it’s an oversight or bug?

I dont use either, and I dont have time to check the code.
On the Whonix side I consider it a major longstanding bug.

oh, now i understand, thanks a lot!
I will try it next days, if i have the same circuit on 2 vms going through the sys-whonix-firewall

Would a possible solution reside in running different whonix gateways?

Something like:

sys-net - sys-fw - sys-whonix-gw1 - fw1 - anon email qube
- sys-whonix-gw2 - fw2 - bitcoin core qube
- sys-whonix-gw - anon qube
- disp qube

Yes - still no firewall support, but no common circuit.

Uhm, so that would be pointless anyways.

It’s not pointless - it gives you separation of circuits which is a good
thing, and allows you some firewall support.

1 Like