Is it possible to restrict the qube.ConnectTCP permission to a certain port?

bungodays12 · April 11, 2026, 12:13pm

Hello,

i wanted to setup a qube that has ssh access to another qube. However, in the documentation i found this warning:

# WARNING: The qubes.ConnectTCP service is dangerous and allows any
# qube to access any other qube TCP port. It should be restricted
# only to restricted qubes. This is why the default policy is 'deny'

Does this policy restrict the access to the ssh servers port 22 or it it possible for the client to access other qubes ports/ other ports from the same qube?

qubes.ConnectTCP +22 ssh-client @default allow target=ssh-server notify=no

ascendforever · April 11, 2026, 12:53pm

The key part of that comment is the final sentence: “the default policy is ‘deny’”.

Policies work linearly. As soon as there is a match, it is executed.

Your rule for port 22, assuming it is loaded before the default policy, will match first. It only applies to port 22. If a request for a different port occurs, this rule will not match and it will continue down, eventually reaching the default policy - deny.