Qubes/Firewall
Qubes VM Manager (QVMM) Firewall Tab Settings in Qubes-Whonix
Qubes VM Manager Firewall Tab Settings[edit]
- Short user documentation: The Qubes VM Manager (QVMM) Firewall Tab Settings have no effect for Qubes-Whonix-Workstation VMs by default. These can be ignored.
- Technical details: All the settings are in a separate file in the VM directory - dom0
/var/lib/qubes/appvms/whonix/firewall.xml
. If the VM is running, those settings are converted tonftables
syntax and loaded into QubesDB of directly connected Net Qube. The qubes-firewall service in the Net Qube watches for such changes and applies the rules.- For example, in the case of
anon-whonix
, the connected Net Qube issys-whonix
. Since in Whonix the qubes-firewall service is disabled in Whonix, these settings do not affect Whonix. - File
/usr/lib/systemd/system/qubes-firewall.service.d/40_qubes-whonix.conf
(part ofqubes-whonix
package) is disablingqubes-firewall.service
. - This will be fixed in the near future: https://github.com/Whonix/qubes-whonix/commit/7009e0b12c321dfb3422645badea7d6cc41fd043
- For example, in the case of
sources:
- https://groups.google.com/g/qubes-devel/c/uzgN42uEJpE/m/hymUCMxoCwAJ
- https://github.com/QubesOS/qubes-issues/issues/1323
- https://groups.google.com/forum/#!topic/qubes-devel/uzgN42uEJpE
Enable Qubes Firewall Tab for Qubes-Whonix[edit]
1. Delete the systemd drop-in configuration snippet which is responsible for disabling Qubes Firewall Tab for Qubes-Whonix.
Inside the Template.
sudo rm /usr/lib/systemd/system/qubes-firewall.service.d/40_qubes-whonix.conf
NOTE: This does not survive upgrade of the qubes-whonix package. (Fixed in git. File removed in git.)
2. Shutdown the Template.
3. Reboot any App Qube that was based on that Template.
4. Done.
Whonix-Gateway Firewall[edit]
1. Prerequisite knowledge.
- Firewall rule placement: When adding firewall rules to QVMM Firewall Tab Settings for Whonix-Gateway, these will be enforced by Whonix-Gateway's Net Qube as per Qubes default, which is
sys-firewall
by default. - Use case, bridge firewall: Useful as a BridgeFirewall. The user could limit connections only to the IP address of Bridges the user has configured.
- Cannot filter IP destinations: This cannot be used to block specific destination IP addresses over Tor. For example, if blocking IP
8.8.8.8
in QVMM Firewall Tab Settings for Whonix-Gateway, Tor Browser and other applications will still be able to reach that IP address. This is because the Net Qube can only see encrypted traffic by Tor to Tor relays or bridges. Netfilter on the Net Qube is incapable of looking "inside" the Tor connection. Hence, no destination IPs can be blocked.
2. Add firewall rules in dom0 QVMM for Whonix-Gateway QVMM Firewall Tab Settings.
To set up a bridge firewall:
- QVMM -> select
Limit outgoing connections to ...
-> press the plus ("+
") symbol -> enter IP address of the bridge -> repeat for additional bridges if applicable
3. Done.
Whonix-Workstation Firewall[edit]
1. Prerequisite knowledge.
- Firewall rule placement: When adding firewall rules to QVMM Firewall Tab Settings for Whonix-Workstation, these will be enforced by Whonix-Workstation's Net Qube as per Qubes default, which is Whonix-Gateway by default.
- stream isolation
- transparent proxying
- There are two types of traffic.
- 1) Socksified traffic:
- Firewall versus Stream Isolation: Stream isolated applications cannot be firewalled without DPI (deep package inspection). See SOCKS Firewalling for a detailed technical explanation.
- related: Tor Browser Filtering
- Two options to filter socksified traffic:
- A) disable stream isolation (discouraged!) (and would maybe want to Disable Socksified Connections) and entirely rely entirely on transparent proxying; or
- B) Use DPI. (See above linked SOCKS Firewalling wiki page for inspiration on how to do that. Inspiration only. This remains undocumented.)
- 2) Transparent Proxying traffic:
- Firewall versus Transparent Proxying: Also cannot be firewalled yet. Most likely firewall rules by Whonix are redirecting traffic to Tor's
SocksPort
/DnsPort
before Qubes user custom firewall rules are processed.
- Firewall versus Transparent Proxying: Also cannot be firewalled yet. Most likely firewall rules by Whonix are redirecting traffic to Tor's
2. Enable QVMM Firewall Tab Settings.
Documented above.
3. Add firewall rules in dom0 QVMM for Whonix-Gateway QVMM Firewall Tab Settings.
- Usefulness: Currently none until above issue has been resolved.
4. Done.
Verify Changed Firewall Rules[edit]
1. Identify the Net qube where to run the following commands.
- Whonix-Gateway (
sys-whonix
) QVMM Firewall Tab Settings:sys-firewall
- Whonix-Workstation (
anon-whonix
) QVMM Firewall Tab Settings:sys-whonix
2. Store current nftables rules to file nftables-old.
sudo nft --stateless list ruleset > nftables-old
3. Change QVMM Firewall Tab Settings.
4. Store current nftables rules to file nftables-new.
sudo nft --stateless list ruleset > nftables-new
5. Compare files nftables-old and nftables-new.
Use console diff viewer or...
diff nftables-old nftables-new
Use a graphical diff viewer.
meld nftables-old nftables-new
6. Done.
Development Discussion[edit]
https://forums.whonix.org/t/qubes-sys-whonix-does-not-do-its-job-as-qubes-firewallvm/18937
Issues[edit]
Qubes issues:
- Changing firewall rules does not block already-established connections
- Firewall restrictions through GUI don't affect ping
- Unite IPv4 and IPv6 qubes firewall tables
We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!