Continuing the discussion from How is the QubesOS firewall implemented?:
This can be prevented by using the Stream Isolation[0] feature provided by sys-whonix / whonix-gateway.
To isolate a circuit for a specific qube, it is possible by combining redsocks[1].
Also, sys-whonix bundled Onion Circuits, which is useful for checking the isolation.
[0] Stream Isolation
[1] GitHub - darkk/redsocks: transparent TCP-to-proxy redirector
(Moved this into a new topic. Feel free to propose a title change)
Stream isolation as documented will not prevent this, since it uses dst
port and dst address.
Have you tried it? that’s what I thought when I saw the document.
I ran the following commands in two VMs using sys-whonix as netVM, but the streams were isolated.
VM1 : curl -L --socks5-hostname 10.152.152.10:9181 https://1.1.1.1
VM2 : curl -L --socks5-hostname 10.152.152.10:9182 https://1.1.1.1