Is it possible to add a FirewallVM between a Whonix-Workstation and a Whonix-Gateway, so that only certain types of traffic are allowed (just like with a regular, clearnet VM)? For example:
whonix-ws-email -> sys-fw-whonix -> whonix-gw -> sys-firewall -> sys-net
Then set up firewall rules allowing only pop3s traffic to
whonix-ws-email. The result should be that
whonix-ws-email can only download mail over pop3s; no other traffic gets through.
I tried testing this but couldn’t get it to work. Either all traffic gets through, or nothing gets through.
Changing the NetVM of a TemplateVM from sys-firewall (clearnet) to a Whonix-Gateway means that traffic is no longer restricted to the Updates Proxy. All traffic is allowed. This seems kind of dangerous, but the benefit of Torified updates probably outweighs this drawback for (careful) users. IIRC, this is a known issue.