Hi Caesar,
Problem solved. So simple it is embarrassing 
I followed this guide to disable the local firewall on my Kali VM, but apparently installing ufw, stoppong and disabling the service is not sufficient on my QubesOS AppVM. Should have tested this first.
I cleaned out all rules manually and problem solved. I was under the impression that firewalls stop enforcing when you stop the firewall service, but I learned something new today. Took some time and I am sorry to have bothered you with such a trivial challenge.
I have no non-QubesOS Kali to test with, so I don’t know if it is Qubes specific, but I will investigate later.
Thank you all for your time.
Sincerely
Max
reference:
ufw issue:
──(user㉿kali-max)-[~]
└─$ sudo ufw disable
Firewall stopped and disabled on system startup
┌──(user㉿kali-max)-[~]
└─$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all – anywhere anywhere state INVALID
DROP udp – anywhere anywhere udp dpt:bootpc
ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT icmp – anywhere anywhere
ACCEPT all – anywhere anywhere
REJECT all – anywhere anywhere reject-with icmp-host-prohibited
DROP all – anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DROP all – anywhere anywhere state INVALID
ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
QBS-FORWARD all – anywhere anywhere
DROP all – anywhere anywhere
ACCEPT all – anywhere anywhere
DROP all – anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain QBS-FORWARD (1 references)
target prot opt source destination
┌──(user㉿kali-max)-[~]
└─$
Problem resolution:
┌──(root💀kali-max)-[~]
└─# iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -F
iptables -t mangle -F
iptables -F
iptables -X
┌──(root💀kali-max)-[~]
└─# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
┌──(user㉿kali-max)-[~]
└─$ sudo tshark -itun0
Running as user “root” and group “root”. This could be dangerous.
Capturing on ‘tun0’
** (tshark:3672) 03:47:05.461425 [Main MESSAGE] – Capture started.
** (tshark:3672) 03:47:05.461493 [Main MESSAGE] – File: “/tmp/wireshark_tun05393E1.pcapng”
snip
442 689.641839995 10.11.58.193 → 10.10.72.134 TCP 52 37983 → 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 WS=128
443 689.687301509 10.10.72.134 → 10.11.58.193 TCP 52 80 → 37983 [SYN, ACK] Seq=0 Ack=1 Win=26883 Len=0 MSS=1285 SACK_PERM=1 WS=128
444 689.687327353 10.11.58.193 → 10.10.72.134 TCP 40 37983 → 80 [ACK] Seq=1 Ack=1 Win=64256 Len=0
snip