Jason suggested to modify
https://www.whonix.org/wiki/Dev/Default_Application_Policy in order to
not be adamant about properly working socks support for stream isolation.
Like not installing electrum by default because of this (
https://phabricator.whonix.org/T215 ) we let the perfect be the ennemy
of the good and let users stand in the rain.
Meanwhile I have a suggestion on how Gajim’s traffic can be forced to use stream isolation. What if it is installed under its own user account and then you can use bindp to force all traffic for that user over its own isolated stream? Does that make sense? Can it fix things?
bindp use case: ricochet or onionshare open a server port on 127.0.0.1 to be accessible from the hidden service incoming connection. This won’t work in Whonix since the hidden service incoming connection is coming from Whonix-Gateway which is a non-localhost connection. bindp is used to force that application to listen on another interface so it can accept the connection. So bindp has nothing to do with it here since gajim doesn’t open server ports / needs no unsolicited incoming connections.
Once we’re using iptables redirection, no torsocks or anything is required. Perhaps we could have this a generic solution. Applications running under their own linux operating system user name, and then redirected… Wait… Redirect how and where? Could only be redirected to Tor’s DnsPort / Tor’s TransPort, so wouldn’t solve any stream isolation issue. I wouldn’t know any translation from operating system networking default traffic (and iptables) to socks that’s why iptables can help with leak prevention but then connectivity just breaks since iptables is not a socksifier. Would be cool to have some iptables to socks tool. Dunno if that exists.