Not sure how to test this. I read through T533 and found this command but it does not restrict Apt traffic.
sudo rm /var/run/sdwdate/* && sudo service sdwdate restart && sudo service tor restart && whonixcheck_tor_bootstrap_wait_max=10 whonixcheck --gui --cli
Also edited :
Changed firewall_mode=full -> firewall_mode=timesync-fail-closed but Apt traffic still possible.
Obviously I'm not going in the right directions with this. Or doing something wrong?
Got it. Set firewall_mode=timesync-fail-closed in sys-whonix and reload whonix_firewall. When that is done both whonix-ws-14 and whonix-gw-14 upgrades fail.
Ign:1 tor+http://sgvtcaew4bxjd7ln.onion stretch/updates InRelease Ign:2 http://vwakviie2ienjx6t.onion/debian stretch-backports InRelease Err:3 tor+http://sgvtcaew4bxjd7ln.onion stretch/updates Release 500 Unable to connect [...] E: The repository 'tor+http://sgvtcaew4bxjd7ln.onion stretch/updates Release' does no longer have a Release file. N: Updating from such a repository can't be done securely, and is therefore disabled by default. N: See apt-secure(8) manpage for repository creation and user configuration details.