Stopping Packets Not sent from sys-whonix in sys-firewall sys-net

I installed OpenSnitch in a custom Debian template so I could try to monitor if any connections were being made outside of sys-whonix and I tested this as a sys-firewall.

It is blocking a large number of queries to and I do not want my sys-firewall and sys-net to be querying different websites for updates or querying anything. Qubes is set to updating through sys-whonix.

This could also be a risk for naive Qubes users who think sys-whonix is protecting them. If sys-firewall is sending packets querrying, any internet provider observing packets and selling that information will be able to determine someone is a Qubes user. Even if someone puts another VM in front of sys-whonix that obfuscates Tor traffic, a hostile government that has made Tor illegal may guess someone is a Tor user based on DNS queries.

Are these packets being detected by OpenSnitch ones that would normally exit the system to the Internet?

There are three different config options for updates and you need to change all of them:

  • Dom0 update proxy
  • Default update proxy (for non-whonix templates)
  • Whonix update proxy

Did you change all three of them to sys-whonix?

Two things:

OpenSnitch is a great desktop app, but only applies to the VM it is running on. Since Qubes by design forwards packets thru a chain of hops (vm’s/routers), you should instead embrace the way Qubes forwards packets from vm to vm. It’s more complicated for sure, but really the way to go.

Also, there are packets that shouldn’t be redirected thru tor. The first obvious example is your network interface sending the initial dhcp request to get local IP address. That can’t go thru tor or a vm.

Instead of tor, I highly recommend use at least one wireguard vpn connection for ALL traffic (except the initial dhcp request), including updates, time server, etc. Tor use is an instant red flag from your ISP these days, but VPNs are not, because they are so popular. VPN’s are much faster too.

It’s been a while, but I’m thinking of building a pen testing laptop, and by default, don’t even bring up an interface, with default option to come up in listening (promiscuous) mode only, then go from there, send a dhcp request, and whatever mac address replies with the dhcp response will be the only one allowed, all other mac addresses dropped. I’d have the one vm just for monitoring the local segment quietly (and a browser if local portal needed for like a coffee shop free wireless access).

Just my two cents :slight_smile:

All three are set to sys-whonix.

I agree with this. But there should be some script or some way of stopping that since dom0 is doing the updates anyway.