sys-whonix does not yet function was Qubes FirewallVM

Continuing the discussion from Whonix with firewall rules?:

I don’t think we have tickets / release targets for that already. This is what we have for now.

sys-whonix as Qubes FirewallVM:
Dev/Qubes - Whonix

At 32c3 we’ve discussed moving to an qrexec based updates proxy also. I haven’t found a ticket for this yet, but all of the above influences when and how this should be fixed.

What’s your opinion, when and how this should be implemented? Any [other] tickets the block/influence this? @marmarek

Just to clarify, are you asking for my opinion or @marmarek’s? (I want to know @marmarek’s opinion too. :smile:)

Sorry. I am interested in any option. Just highlighting @marmarek so he is getting e-mail notifications as Marek may not have the whole Whonix forums subscribed since its generating lots of traffic. And because I am not sure anymore we discussed this at 32c3 and what we concluded.

Regarding firewall, the discussion outcome is here: Implement new firewall dom0->VM interface · Issue #1815 · QubesOS/qubes-issues · GitHub (actually message linked from there). The idea is to:

  1. have updates proxy running over qrexec instead of TCP/IP, so template will not have its own netvm at all
  2. ease integration of “qubes firewall rules” with other firewalls (like Whonix one)

So, those are two (related) things: default rules for the template, not enforced by Whonix (will be solved by “1”), and AppVM firewall rules generally when Whonix gateway is in use (“2” will ease solving it, but itself will not be enough).

make sys-whonix function as Qubes FirewallVM:
https://phabricator.whonix.org/T476