Sys-whonix <- sys-firewall2 leads to identity correlation

Continuing the discussion from How is the QubesOS firewall implemented?:

This can be prevented by using the Stream Isolation[0] feature provided by sys-whonix / whonix-gateway.

To isolate a circuit for a specific qube, it is possible by combining redsocks[1].

Also, sys-whonix bundled Onion Circuits, which is useful for checking the isolation.

[0] Stream Isolation
[1] GitHub - darkk/redsocks: transparent TCP-to-proxy redirector

1 Like

(Moved this into a new topic. Feel free to propose a title change)

Stream isolation as documented will not prevent this, since it uses dst
port and dst address.

Have you tried it? that’s what I thought when I saw the document.
I ran the following commands in two VMs using sys-whonix as netVM, but the streams were isolated.

VM1 : curl -L --socks5-hostname
VM2 : curl -L --socks5-hostname