Hi,
I know how to restrict a clearnet qube to a specific host (through “Settings” tab or through qvm-firewall). I also understand that Whonix works through Tor proxy which itself requires connections to the Tor guard to work, so simply restricting a whonix-based qube “the clearnet way” would not work.
So, what is the correct way to restrict access of a whonix-based qube to specific host(s)?
myqube <-> tor <-> selectedhost.com
So, what is the correct way to restrict access of a whonix-based qube to specific host(s)?
You should be able to put a firewall qube between the whonix gateway and its clients. Then just use qvm-firewall as usual on the respective client qube you want to restrict.
Possibly there’s already a firewall qube in fron of the whonix hosts by default - I haven’t used it in a while.
Thanks for the link. I will look at it.
(Strangely, I didn’t receive an email notification about your reply, but luckily I noticed it in the forum.)
You should be able to put a firewall qube between the whonix gateway and its clients.
I am not sure I understand what you mean because whonix-ws clients use sys-whonix as netvm (not whonix-gw-16). Are you suggesting:
sys-whonix <-> custom-firewall-qube <-> client
Wouldn’t then firewall rules prevent the client from connecting to sys-whonix?
I hope you can clarify.
That seems to be the standard method, AFAIK.
Not unless you specifically add firewall rules to achieve that effect.
I am not sure I understand what you mean because whonix-ws clients use sys-whonix as netvm (not whonix-gw-16). Are you suggesting:
sys-whonix <-> custom-firewall-qube <-> client
Yes, that’s what I was talking about.
There’s a good point about stream isolation on the previously linked thread though.