user@host:~$ sudo nft flush ruleset
user@host:~$ curl $URL
curl: (6) Could not resolve host: $URL
Tested with sys-firewall. Results in a timeout. $URL can be resolved with sys-whonix as Net qube.
Even without Whonix-Gateway Firewall and without Whonix-Workstation firewall, no leaks are possible. Traffic from Whonix-Workstation can either reach Tor which is running on Whonix-Gateway or no destination at all.
I see no evidence that this is not true on Qubes-Whonix. What am I missing here? It seems like there is some Whonix magic:
No firewall required to be enabled on either Gateway or Workstation
No connectivity unless Workstation is connected to Gateway
The purpose of this post is to figure out why it works like this. Please point me to the appropriate documentation if it exists. I could not see an explanation to why Whonix refuses to leak without a firewall, and with a standard Net qube.
, I think overall it would be useful to have safety checks that prevent changing workstation netVM to something different than sys-whonix/@tag:anon-gateway (say sys-firewall) by accident.
But note that it is not sufficient to just allow sys-whonix, as there might be multiple whonix gateway vms. Please also still provide some way for more technical people to enforce a different netvm, like sys-vpn. I’d imagine Whonix workstation provides benefits for Tor-before-VPN tunnels regarding leak prevention as well.
One way might to be to manually assign the qubes tag anon-gateway to specific netvms. Assigning tags should be “advanced enough”.
Or would you think a Kicksecure VM would be better suited as leak-proof client/workstation for Tor-before-VPN or even Clearnet-before-VPN tunnels?