Qubes 4.2 vm-firewall-settings wont limit outgoing connections

I am using Qubes 4.2. I have a mail-vm, i tried to set the firewall of this very vm to limit outgoing conntections to my mail-providers smtp-port (using the qube-manager gui). But if I test it, it is still opening links to all kinds of websites.
What am I doing wrong?

In a dom0 terminal, what does the following command return?

qvm-firewall <qube name>

Redact your mail provider IP from the result if you wish.

see below

Thanks for youre quick answer, this is what the terminal returns:

0 accept mail.provider.org tcp 465 - - - -
1 accept - - - dns - - -
2 accept - icmp - - - - -
3 drop - - - - - - -

Just to be sure, since you used a domain here, are you also using a domain for your mail provider, or have you replaced an IP with that random domain?

Can you open a terminal in the netvm used for your mail qube and share the output of this command:

sudo nft list table ip qubes-firewall

It is the same domain i use as outgoing server in thunderbird

net-vm output:
[gateway user ~]% sudo nft list table ip qubes-firewall
Error: No such file or directory
list table ip qubes-firewall
zsh: exit 1 sudo nft list table ip qubes-firewall

Strange, it should work.
What is the netvm based on (Debian, Fedora, or Whonix)?


If I’m not mistaken, Whonix ignores Qubes firewall rules and uses its own internal firewall. If you really want to use the Qubes firewall, you would have to put a new qube between your mail qube and the whonix gateway so that it applies the rules you set on your mail qube, but I’m not sure if this is good for stream isolation.

I found the following post on the Whonix forum that is close to what you are trying to do:

1 Like

thanks, i’ll have a look. Is this why my mail-vm is giving me this response to sudo journalctl -u qubes-firewall.service:

Feb 26 01:11:42 mail-vm systemd[1]: qubes-firewall.service - Qubes firewall updater was skipped because of an unmet condition check (ConditionPathExists=/var/run/qubes-service/qubes>

This is supposed to happen. The qubes firewall is enabled when the qube has “provides network” checked in the settings and is acting as a gateway for other qubes. Since your qube only runs your mail application, the condition is not met and the service is not started.

i guess this is a solution though I have new problems now ;). Thanks for youre effort!

1 Like

You’re not mistaken
Whonix does ignore firewall rules.
If you put in a firewall, then all the traffic arriving at Whonix will
appear to have come from the firewall qube (masquerade). This will
impact isolation. So you are right here too.

1 Like

Does this mean it is not recomnended to configure a sys-in-between_debian_and_sys-whonix kinda situation?

I dont use Whonix.
I dont know what Whonix recommends - you should ask in the Whonix
forums, or check the Whonix web site.
If you want to restrict outbound traffic in Qubes, when using Whonix, I
think this is the only option. You could of course deploy multiple
firewalls and attach various qubes/Whonix-WS to them, to minimise effect
on stream treatment.