I think you are mistaken or unclear on many points, and so your post is
somewhat misleading.
I’m not clear which part you think is not universally true. By default
all qubes prohibit incoming traffic except for ICMP: this means NEW incoming
traffic. Responses to outgoing traffic are of course enabled.
It would help if you explained exactly what you want to do. If you want
to block everything outgoing except traffic to ports 80, 443, it’s trivial to do
this in the settings GUI on the firewall tab.
However, the GUI will continue to allow DNS and ICMP traffic. If you
want to block that:
qvm-firewall QUBE del --rule-no 0
qvm-firewall QUBE add proto=tcp dstports=80 accept
qvm-firewall QUBE add proto=tcp dstports=443 accept
qvm-firewall QUBE add drop
Once you have a firewall set for one qube, you can export the settings
to file:
qvm-firewall ---raw QUBE > firewall_settings
And then use those settings for other qubes:
cat firewall_settings | qubesd-query --fail -- dom0 admin.vm.firewall.Set
You can make the firewall as restrictive as you wish.
This is not true. By default qubes prohibit incoming traffic, so
although the attacker can send packets, they will not be accepted. The
attacker might be able to probe for weaknesses in the firewall or
networking stacks, or have an exploit using ICMP, or an attack that took
advantage in weaknesses in the allowed forwarding of traffic, but that
is a level above what you are suggesting.
I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.