The log is irrelevant. It’s not a listen port. It’s the the virtual network interfaces created by KVM on the host operating system.
VM internal traffic is visible on the host for network sniffers such as wireshark, tshark as well as iptables (and therefore by extension also corridor).
… as we’ve wondered years ago probably and as you’ve seen years ago in tshark but finding that message would be challenging.
This is why firewall rules on the host (for example by corridor or VPN fail closed firewalls) can break Whonix-Workstation traffic.
These so far are the facts and these are unrelated to ChatGPT.
UTM is also irrelevant.
libvirt is a wrapper around QEMU. virsh domxml-to-native
can the translate an XML file to the actual QEMU comnand line that will be executed.
(Audit Output of virsh domxml-to-native)
So if QEMU supports hubport
, it can be assumed that such an important option is also available in libvirt.
(In theory, very recently added or obscure QEMU options might not exist in libvirt.)
In the worst case, libvirt: QEMU command-line passthrough could be used.
KVM is also just a QEMU command line. Just with different command line options. From perspective of the final and actually executed QEMU command line the difference is just a few command line parameters.
The problem is this:
<bridge name='virbr2' stp='on' delay='0'/>
The bridge virbr2
will be visible as a network interface on the host operating system for tools such as sudo ifconfig
. This is the whole crux about Whonix KVM.
Avoiding this would make a lot issues vanish.
So the easy one first… Currently:
<network>
<name>Whonix-External</name>
<forward mode='nat'/>
<bridge name='virbr1' stp='on' delay='0'/>
<ip address='10.0.2.2' netmask='255.255.255.0'/>
</network>
Is <bridge name='virbr1' stp='on' delay='0'/>
strictly required? According to https://chat.openai.com/share/5d7c6ee9-a1ea-459f-9b50-19f2f03fe2a4 it is not.
Could you try without <bridge name='virbr1' stp='on' delay='0'/>
please? Potential alternative:
<network>
<name>Whonix-External</name>
<forward mode='nat'/>
<ip address='10.0.2.2' netmask='255.255.255.0'/>
</network>
If that does not work, any other options?
This one maybe harder… Currently:
<network>
<name>Whonix-Internal</name>
<bridge name='virbr2' stp='on' delay='0'/>
</network>
Isolated mode perhaps?
I did not find how to do this.
Guess based on ChatGPT… Would this work? Potential alternative:
<network>
<name>Whonix-Internal</name>
<ip address='10.152.152.0' netmask='255.255.255.0'>
</ip>
</network>