Block all traffic except some hidden addresses

Could Whonix implement 3proxy, it can do much more than what is mentioned in this topic. It supports all types of proxies (http,https,socks4,socks5,…)

whitelist/blacklist using IPs/hostnames, filtering by ports, protocols (http, https, ftp, etc.), filtering by user:password and more

you could specify multiple (wildcard) hostnames, (wildcard) IPs, ports, protocols, users for each rule in a single and short line

Other than these you could chain all kinds of proxies for each allowed rule/connection. Which means as many proxy hops after Tor as you like. it is easy to eliminate DNS leaks and only resolve the hostname at the latest hop of the connection

You could redirect each allowed rule/connection to their own Tor socks port you specified, which could also be set to be randomly chosen from a list of ports you specify for each rule.

I guess you could have multiple Tor Browser or other application instances which could use at least one proxy hop in the end to avoid Cloudflare blocks or for different (anonymity) purposes

Also check: Applications and Stream Isolation - #8 by Patrick

If you are interested I could share some of my simple configurations to literally own the control of all connections

I could imagine multiple 3proxy instances used for different purposes in both gateway and workstation by default and by use case. 3proxy has many more features which could replace and improve existing solutions in Whonix

But all the things above could be done with a single 3proxy instance listening on a single port which I guess should be run in workstation but I’m not sure, I didn’t try 3proxy in Whonix

If this could be done on Whonix, what about Qubes or Qubes-Whonix? Extreme access control or overkill?