I would try to find the IP of the email provider if you are using a VM for email, e.g. Tutanota's IP address is: 81.3.6.162(no IMAP wit them), therefore my firewall settings for that VM would be:
IP: 81.3.6.162
Service: https (or port 443)
Protocol: TCP
Things I have learned about the firewall include:
1) You can type a port number into the service field vs just using whats in the "Services" dropdown selection
2) MXToolbox is a good tool to find an IP address of a website
3) I created a print VM that only allows access to my networked printer IP and the network printer's port. With this VM I can access only the printer. Maybe your vault uses this VM as its DVM. I don't trust printers in general but at least its restricted
For web only 443(https) and 80(http) are all that is needed for the most part. I believe ICMP(pings) and port 53(DNS) are allowed automatically. Open to being corrected? It would be nice to control the DNS more (Quad9 DNS resolver or OpenDNS). Not sure how to do this with ease.
For Thunderbird, you could research your email providers IP and change the "*"/ANY for the specific IPs or IP.
Google, Apple and others generally publish the ports needed for a service to work.
Qubes team I would agree this latest update is working like a charm and has improved Qubes Manager and the Fedora/Pulse Audio update problem I was having. Thank you again for the work!
For example:
I have a DVM setup for printing only, the firewall rules on that DVM are:
Address: Printers wireless IP = 192.168.1.6 (fixed IP in my case)
Service(or port): 515 (Canon) or 9100 (HP) or other ports might be needed including 631, 427. Research your printer for whats required...
Protocol: TCP only
For my email IMAP AppVM(In the email AppVM "Firewall" tab):
2 Rules-
Address: 66.11.4.135 (imap.fastmail.com)
Service(or port): 993
Protocol: TCP
Address: 66.11.4.140 (smtp.fastmail.com)
Service(or port): 465
Protocol: TCP
(To be honest I use a different email provider so the IP and ports are different but you get the idea. This info as with my own is usually published on thesite or available by asking the network admin)
My "Web Surfing" DVM has no firewall rules i.e. "Allow All" which I can also print from. This could be tightened up if needed...
I have played with my VPN AppVM as follows(kinda kill switch?):
Address: 168.1.75.17 (IP address to my VPN connection)
Service(or port): 1194
Protocol: TCP
You might have a AdminVM for your router, firewall or switch which could be:
Address: 192.168.4.6
Service(or port): 31006 (I think there are +65000 ports available)
Protocol: TCP
My sys-firewall does not have any restrictions
With this set up, I can:
a) Assign the Print DVM to my Vault and Email AppVM, I think most important for email Appvm to prevent a malicious attachment from "calling home" when opened(Althoug it could go thru my printer?).
b) Assign the web surfing DVM to my "untrusted" domain
c) Have a restricted AppVM for Web GUI admin functions
I just take a more strict approach and block ALL then whitelist when needed...for me this gives me what I need. Again open to feedback if this is wrong...