Some users are shooting their own feet by setting the Net Qube of anon-whonix to sys-firewall. See this example.
I have tried this before to confirm whether or not this was true, and I could not connect to the internet without using sys-whonix as my Net qube.
See example below:
user@host:~$ curl $URL
curl: (6) Could not resolve host: $URL
Without firewall (also reset iptables):
user@host:~$ sudo nft flush ruleset
user@host:~$ curl $URL
curl: (6) Could not resolve host: $URL
Tested with sys-firewall. Results in a timeout. $URL can be resolved with sys-whonix as Net qube.
Even without Whonix-Gateway Firewall and without Whonix-Workstation firewall, no leaks are possible. Traffic from Whonix-Workstation can either reach Tor which is running on Whonix-Gateway or no destination at all.
I see no evidence that this is not true on Qubes-Whonix. What am I missing here? It seems like there is some Whonix magic:
- No firewall required to be enabled on either Gateway or Workstation
- No connectivity unless Workstation is connected to Gateway
The purpose of this post is to figure out why it works like this. Please point me to the appropriate documentation if it exists. I could not see an explanation to why Whonix refuses to leak without a firewall, and with a standard Net qube.