How to add a ProxyVM between anon-whonix and sys-whonix? (whonix-ws-email -> sys-fw-whonix -> whonix-gw -> sys-firewall -> sys-net)

Is it possible to add a FirewallVM between a Whonix-Workstation and a Whonix-Gateway, so that only certain types of traffic are allowed (just like with a regular, clearnet VM)? For example:

whonix-ws-email -> sys-fw-whonix -> whonix-gw -> sys-firewall -> sys-net

Then set up firewall rules allowing only pop3s traffic to whonix-ws-email. The result should be that whonix-ws-email can only download mail over pop3s; no other traffic gets through.

I tried testing this but couldn’t get it to work. Either all traffic gets through, or nothing gets through.

Related point:

Changing the NetVM of a TemplateVM from sys-firewall (clearnet) to a Whonix-Gateway means that traffic is no longer restricted to the Updates Proxy. All traffic is allowed. This seems kind of dangerous, but the benefit of Torified updates probably outweighs this drawback for (careful) users. IIRC, this is a known issue.

Moved here:
sys-whonix does not yet function was Qubes FirewallVM

This is an interesting question. I guess it could lead to more stuff and analysis than I can foresee.

Possible in theory but undocumented and not researched.

Stream isolation might get into the way depending on which application you tried to use. Background information on stream isolation:

Applications inside whonix-ws AppVMs either A) directly connect to the local network where a SocksPort where Tor is listening or B) use the operating system’s default networking. This is also called transparent proxying.

A) complicates things for this kind of advanced endeavors. I would advice to disable stream isolation (for the applications that you may be using that may be pre-configured) during development of this. Then later when it works figuring out if stream isolation can be re-enabled. For instructions on stream isolation deactivation, see:

B) is easier. sys-fw-whonix would, as I imagine, be a Qubes ProxyVM. Use IP forwarding. (Unless you figure out some solution that does not require it. But maybe not important.) Accept the traffic, filter it with iptables, then forward it to sys-whonix. Probably in the first iteration just using transparent proxying.

As an pre-exercise it may be useful to to remove Whonix from the equation. Have some AppVM that connects to some ProxyVM that does some filtering and then forwards to sys-net. Re-applying this setup to Whonix than may be simpler because by then you would have figured out all the non-Whonix stumbling points.

Very informative; thank you!