Whitelisting only specific IPs in one Qube (Atomic Wallet)

Hi there.

I installed one Qube called: “atomic-qube”
In that Qube I will only have one program called : “atomicwallet.AppImage”

Currently I trust in this APP, but maybe in future I will not.
When I start this APP it should connect to a remote server : “xx.xx.xx.xx” and check my Crypto balance.

Currently I do not know which IP address is that, nor if there are another IP addresses.

All I want to know is how to see :

  1. All active IP connections in this Qube.

After seeing active connections, I can whitelist only that connections in firewall.

In the future, if I download infected new updated Atomic application, this application wouldn’t be able to connect to a remote RAT server, because I whitelisted only Atomic Servers ??

Does this make any sense ? or I am thinking wrong.

Short info:

I am using Atomic Wallet since they were Beta version.
Never ever had any problem whit this wallet.
My Private keys and seed are very good protected since I do not download any new versions.
But now I want to download new version, because I want to have new Coins in my list, some coins in which I want to invest.
My version 1 had support for a top 5 Cryptos.
I know this version is not infected with any kind man-in-the-middle , or any kind of trojan.

So how can I inspect this app and limit my firewall only to those IPs ?

and what will happened if I downloaded infected app and my firewall is good configured ?
will attacker still have access to my seed , no-matter his server is not Whitelisted ???

thx to all who can help and more tnx to those how try to help

live long and prosper

For seeing the active connections I think you’ll need some sort of linux network monitoring tool. But the next part it should be as simple as restricting that on the Qube’s firewall settings. The documentation should be self-explantory and by reading it it should answer most of your concerns:

If that doesn’t work for you, the check out this discussion:

Tnx man

I will read it definitely :slight_smile:

1 Like

After reading a little bit more… I need a proxy VM.

Proxy can filter and block what I do not want .

Qubes firewall is not logical for me enough.
I can allow all or only specific one.

What is with blocking only specific ones and allow rest?

Now I found a tutorial. Will try to follow it on my 4.1
If I succeed I will update my first post.

How to configure PiHole in QubesOS (ProxyVM) | Patrizio Tufarolo

Note that PiHole is a DNS filter - it will not prevent malicious programs which use IP addresses directly.

Hi Rooftop

Tnx for your remark.

Do you have any better idea for this problem?

Without knowing what you want to allow or block, it’s hard to know what is the best solution. What exactly are you trying to block (or allow). For example, what host names or IP addresses, what sort of connections (http, https, others?).

It very simple (at least for me)

I want to have a VM in which I want to install one Program only (APP1).
Then, when I start this program, I want to see which IP connections this program uses (TCP & UDP), and then block all other connections.

But now I can not see my active connections in my VM (because I do not know how).

Let’s sey that APP1 uses only IP:
aa.aa.aa.aa and
for connecting to a Trusted remote Server

Then I want to enable only that IPs and block everything else.

My thinking is, if I downloaded malicious Updated version APP1_v.2 then this code would not be able to connect to a RAT server.
Or am I thinking wrong?

If I am thinking all this wrong, then I want to have a possibility to run any infected application and to clearly see all active IPs.
Nothing more.


Look into certificate pinning. There is a Firefox Add-On to make you understand the concept. Use is it for your logins in Firefox to see how it works.



The qubes firewall does not make the above limitation; it can be configured to allow more than one IP/host and block all others - just create additional entries.

You can get an idea of connections the qube makes with a tcpdump capture such as:

$ sudo tcpdump -i eth0 -n '((tcp[tcpflags]&tcp-syn!=0 and tcp[tcpflags]&tcp-ack=0) or udp) and (port domain or dst net not'

... IP > 59319+ A? www.qubes-os.org. (34)
... IP > 7500+ AAAA? www.qubes-os.org. (34)
... IP > 59319 1/0/0 A (50)
... IP > 7500 NXDomain 0/0/0 (34)
... IP > Flags [S] ...

Explanation: show all TCP outgoing connections and UDP packets, as long as the destination is not a 10.x.y.z network…unless it’s a DNS request. The above was the result of curl https://www.qubes-os.org.

It would be better to capture everything to a file (add -w file.pcap), and analyze later in a graphical UI like Wireshark.

Once you have IP addresses, create the firewall rules.

1 Like

I took a quick look at the atomicwallet.AppImage.

As expected, it’s just an Electron app (it has an embedded Chromium browser + NodeJS) so it’s probably reaching out to HTTPS endpoints at atomicwallet’s web site.

This means not connect the VM to a NetVM, and then exec the AppImage with a --proxy-server argument, and then follow the guide @Rooftop made @ Restricting a Qube to selected websites.

Also, if it matters to you, that AppImage does not embed a signature (--appimage-signature), nor does their website provide provide any signatures in the download location. sha256 hashes are provided, but the site is also behind CloudFlare.

1 Like

thank you very much @icequbes1 for explaining.
I will definetly test this configuration today.

Will update my progress.