Hi webgear,
By default, qubes that provide a network to other qubes do not allow inbound connections to their clients[1], and outbound connections are NAT-ed by their network qube[2]. In order for a qube to have a port exposed to the network, each qube in the networking chain must be configured via nftables rules to forward packets from its external interface to the next qube in the chain. For example, for a qube named QubeDest to receive packets on a port under the default Qubes networking setup, you must[1:1]:
- In the sys-net VM:
- Route packets from the outside world to the sys-firewall VM
- Allow packets through the sys-net VM firewall
- In the sys-firewall VM:
- Route packets from the sys-net VM to the VM
- Allow packets through the sys-firewall VM firewall
- In the qube QubeDest:
- Allow packets through the qube firewall to reach the service
I am unsure how this behavior would be implemented inside a Mirage sys-firewall. It seems that in order to implement such custom firewall rules in Mirage for Qubes, modification of its kernel code would be required[3].
I hope this helps 