As I see, qrexec and qvm-run are the tools to implement the needed commands later.
My idea to get to a working solution would be to fiddle out the needed configuration steps as a list of commands what have to be run one by one in dom0 or the different vms.
Some commands need to be run once, like adding the 2nd virtual interface to a client- or server-vm. Others will have to be run each time a virtual machine will get started, especially the dynamic configuration of the internal firewall.
Many of these steps are similar to those which happen when starting a vm and connect it to the default sys-firewall. Does anyone know where to find a schedule of this, so we can do a little copy and paste?
No, it could be used for communication between VMs instead of using networking.
For example, if you need to connect from pgClientVM to PostgreSQL-Server that’s running on 5432 port in pgServerVM, then you need to setup qrexec in these two VMs as described in my link but just change the port number and then in pgClientVM you’ll connect to PostgreSQL-Server using local address 127.0.0.1:5432 and the connection will be passed to PostgreSQL-Server in pgServerVM.
Yes, it’s possible and it would do its work for this special purpose.
My idea for this topic is different:
There are many people, who know how to work with standard tools, they have got their LAN, servers and some client machines which connect to them and a firewall to connect this all to the outside world.
I want to give them an easy way to rebuild this on a Qubes host. If we do it the Qubes’ way, they won’t be able to switch easily from one environment to the other and back, without special knowledge. The greater problem: They can’t discuss problems what may occur with fellows in their company.