corridor is indeed the wrong tool for this topic. (Unless it’s installed it on your router. In that case it’s a nice fail-safe mechanism that can also point out some misconfigurations of your e.g. Qubes OS device, allowing you to fix them before you use the device with a non-corridor router.)
To avoid making non-Tor connections on a Qubes OS device in the first place:
- Set the system’s default net qube to sys-whonix or none, and don’t override it to sys-firewall or sys-net for individual qubes (except for sys-whonix itself, which usually should have sys-firewall as its net qube)
- Set the clock qube to sys-whonix or none
- Set the dom0 update proxy to sys-whonix
- Set the template update proxy to sys-whonix for both Whonix and non-Whonix templates
- sys-net and sys-firewall are special, because they are upstream from sys-whonix. Add nftables rules (ordered before the systemd
network-pre.target) to prevent them from generating their own (non-loopback) output.