As pointed out on the Qubes mailing list, I had not originally included firewall rules for filtering out clearnet internet access by a compromised Whonix-Workstation.
This was a simple oversight as I had set up such clearnet firewall filtering on my own Qubes + Whonix machine and had originally intended to include it in the install guide.
I’ve updated the current wiki install guide to include this new step “Deny Unnecessary Network Access”.
The primary concern that this step mitigates is if a person’s Whonix-Workstation were to be compromised by an attacker, then, without added firewalling from Qubes, it would be able to bypass Tor routing through the Whonix-Gateway and access the clearnet via the Qubes firewallvm.
This newly added step “Deny Unnecessary Network Access” cuts off such potential clearnet access off from the Whonix-Workstation, which was the original intention to be included in the install guide.
This is updated and included now…