Hypothetically if I were to use Qubes OS with only Whonix templates (thus meaning no connection to anything besides Tor). Updates would be routed through Tor, the Clock qube would be based on Whonix (I have not tested if that works yet). Along with sys-net and sys-firewall based on Debian.
What clearnet connections would be made? I am not in a position to test this right now but I am interested in knowing if someone else has.
I am assuming that sys-net and sys-firewall based on Debian would make their own network connections once in a while.
If the system time is incorrect (badly distorted), you will not be able to connect to the torus. Leave the qube clock on sys-net, or you may not assign it at all and adjust the time manually if necessary.
If you plan to use only whonix templates, you do not need sys-firewall. In sys-net, configure outgoing firewall traffic only to the tor servers and, if the qube clock is installed, also to the time synchronization servers.
Other traffic will be standard Qubes update checks, and any residual stock
I never presume to speak for the Qubes team.
When I comment in the Forum or in the mailing lists I speak for myself.
traffic. On Debian, provided you have masked all services, there should
You can set the firewall on sys-net and sys-firewall to block all
outbound traffic if you wish. (I mean the internal firewall in the qube,
not the Qubes firewall)
Does that work without breaking their usability as NetVMs?
Yes - it is blocking traffic originating from those qubes , not
traffic being forwarded through them.