I would like to have a better picture of network traffic in Whonix.
First, I want to look into OS-initiated traffic (when the user doesn’t open any applications or performs any actions at all). Where does Whonix initiate connections to? Anything apart from the sdwdate lists? I want to look all the related code for those operations.
In general though, the monitoring I have in mind should include all traffic.
Ideally I would like to have a service that shows, at any given time, a list of connections, with:
- The process initiating the connection
- Destination of the connection
this should include both clearnet and onion destinations, and with a readable, concise log.
At a second stage, perhaps a blacklisting / whitelisting mechanism.
Examples for whitelisting use cases:
- A workstation is used for Electrum only. The user wants to only allow connections to certain bitcoin nodes, plus anything that is absolutely a must for Whonix to function (debian / whonix updates, sdwdate?). Nothing else.
- A workstation is used for chat with Gajim for example. After an initial research into the required destinations, only those are whitelisted.
- A workstation is used only for email using say protonmail.com. Whitelisting of their site only (I don’t think they load scripts from elsewhere. If so, review and whitelist those as necessary).
- A workstation is used to manage a remote server. Only that IP is whitelisted.
- When working with a longer list of sites: assists in avoiding phishing attacks.
Motivation: prevent both mistakes and malicious outgoing connections / destinations. A malware will need to circumvent the whitelisting mechanism itself to work (perhaps the whitelisting should be done on the Gateway?).
Perhaps some of that is already possible. I will appreciate any comments, pointers and advice.