Re: Stop users from changing their anon-whonix net qube to sys-firewall to avoid IP leaks

Some users are shooting their own feet by setting the Net Qube of anon-whonix to sys-firewall. See this example.

I have tried this before to confirm whether or not this was true, and I could not connect to the internet without using sys-whonix as my Net qube.

See example below:

user@host:~$ curl $URL
curl: (6) Could not resolve host: $URL

Without firewall (also reset iptables):

user@host:~$ sudo nft flush ruleset
user@host:~$ curl $URL
curl: (6) Could not resolve host: $URL

Tested with sys-firewall. Results in a timeout. $URL can be resolved with sys-whonix as Net qube.

Even without Whonix-Gateway Firewall and without Whonix-Workstation firewall, no leaks are possible. Traffic from Whonix-Workstation can either reach Tor which is running on Whonix-Gateway or no destination at all.

I see no evidence that this is not true on Qubes-Whonix. What am I missing here? It seems like there is some Whonix magic:

  1. No firewall required to be enabled on either Gateway or Workstation
  2. No connectivity unless Workstation is connected to Gateway

The purpose of this post is to figure out why it works like this. Please point me to the appropriate documentation if it exists. I could not see an explanation to why Whonix refuses to leak without a firewall, and with a standard Net qube.

Steps to reproduce

configure the Net Qube of anon-whonix to be sys-firewall


Whonix is built on the assumption of the virtualizer enforcing an isolated network between workstation to gateway only.

When setting workstation net qube to sys-firewall this is broken.

Reasons why this doesn’t work:

  • broken DNS setup
  • uwt (Stream Isolation)

If you don’t know what for example Stream Isolation is → search. Please don’t let me Google that for you.

Reason why this works:

  • Doesn’t use DNS.
  • Doesn’t use uwt.