hardening Whonix /etc/sysctl.conf

since whonix built for anonymity and to gain that, is by using The Onion Routers , so i wonder why dont we config whonix just to react with Tor abilities ?
for example disabling IPv6 or disabling all UDP traffics and …etc from hardenings (because that will prevent many attacks and lower the surface attack). a good place to start with is /etc/sysctl.conf , there r many options there which r good to activate or deactivate for example deactivating IPv6 or activating IP spoofing …etc. and sure there r more places to change for hardening. but i wonder why we dont do it.

ls -la /etc/sysctl.d

Disabling UDP would kill Transparent DNS. UDP is sorted out in whonix-gw-firewall.

aha ok , but how about the others ?

disabling IPv6 or Disabling ICMP or turning on execshield or…etc


aha ok , but how about the others ?

disabling IPv6 or Disabling ICMP or turning on execshield

IPv6 is handled by whonix-gw-firewall.

[We cannot just add random recommendations from random websites just
because those are listed there and useful in a different context.]

Others would require a detailed proposal. Some quick thoughts what it
should roughly include. [No need to make that formal.]

  • What exactly does it do?
  • What does it improve?
  • Does it really apply in context of Whonix?
  • Likelihood of introducing issues?
  • Long term test results.
  • Effects on network fingerprint?
  • Effects on web fingerprint? (less likely)
  • Why aren’t these the Debian defaults already anyway?
  • Would it make sense to suggest to Debian or Qubes to enable these settings by default also?
  • Do any other security focused distributions use these settings?

Some stuff may only be elegible for
Security Guide - Whonix or
Advanced Security Guide - Whonix.

I don’t think any sysctl settings are missing at the moment, but if
you think different, please submit a detailed proposal.


Nothing is missing.

hmm check here for example:-


and i think it is not shifted inside debian by default because why would they turn off IPv6 by default ? or even ICMP ? …etc. but we (may) need to do that for more security with Tor network.

and sure , its better to ask ppl who r expert in this.