KVM Networking DHCP, Internal, Host Firewall


I have 3 questions about Whonix related KVM networking.

  1. I have tried to hook up a Vfirewall behind the gateway with a plain internal (bridged) network and an internal (bridged) network with a DHCP Server for the gateway. Both failed. Can anyone give me a hint how I can build an internal network that supports communication between the gateway WAN and another VM?

  2. Does anyone have a DHCP server running in gateway lan to make it more flexible for custom workstations? Ive read about the caveats with dhcp in gateway, so Ive had an idea for a KVM internal network that provides a DHCP server for LAN and routes everything to the gateway. Ive had no luck in building this. Please share your experiences.

Not directly Whonix related:

  1. Does anyone have an idea for a HOST firewall that blocks any traffic except from libvirt/KVM group? Or is it possible to use e.g. a macvtap device to route everything through an Ethernet port directly, so you can block host networking completely?

Thanks in advance


Most likely, no.

Whonix-Host KVM Firewall

You probably need to adjust Vfirewall rules to route traffic across it’s interfaces and direct it to the GW. Using a Vfirewall is unnecessary because Libvirt supports custom traffic filtering rules and preset clean traffic ones for some basic protection against spoofing or DoS. I don’t bother with the though because there isn’t much a WS can do and because it can theoretically increase attack surface.

Look at our documentation for DHCP support. Libvirt supports this feature in a minimalist and safer way than installing a full fledged DHCP server on the GW.

This is something we will implement for Whonix Host, but nothing is in code yet.