Whoopsie, I was not expecting that. Now that I know it, I see you on the about-page. So, 100% (okay, 99,9%) trust from now on. I am indeed a software-developer and I've studied computer science with main topic network security, yes.
Yeah, I was expecting a workaround like that, but I don't want to use such ugly things if there is not a really good reason for doing so. Thanks anyway for the suggestion.
I must have overlooked the qrexec-page on Qubes OS wiki (twice actually). But it is not easy to find it if you google it quick.
That's why you probably need to ask on the Qubes mailling list.
Nope, I know how to setup a network between vms. I just don't know how Whonix is configured. I believe, I'm in the right forum. Networking works fine so far. And of course, even if the solution from my first post would have worked, I would have asked nevertheless if this is okay from the perspective of Whonix. Nothing is worse than circumventing security by accident and a lack of information.
As far as I see it, qrexec 1) only allows passing stdin/stdout which does not satisfy me (as already explained) 2) always runs through dom0 which is even worse than every IP-based networking, because IP-traffic "only" runs through sys-firewall. So theoretically, if a vm is able to use qrexec at will, it could compromise dom0.
And even worse, qrexec is - as far as I see it - much harder to control if you have fully automatic processes going on (no user-interaction, no okay-clicking). In the IP-world you can limit your traffic to certain IP-addresses and ports and you can limit the permissions of the process listening on a port to a minimum. This way it should not be easy to escalate your priviledges across vms. Furthermore, IP-implementations are heavily used and therefore we can assume that they are more robust and well tested than a (in comparison) rare solution like qrexec. (I don't want to be mean to your baby, just telling the truth.)
Don't misunderstand me: For the use-case for which qrexec is built, it's nice. I assume that most users of Qubes OS have no problem at all, clicking an "okay"-button each time they want to do a certain operation across vms. For me - as an example - it was a nice way to copy all the prepared config-files into their destination. And it's still a nice way to boot the whole system using a script in dom0, which relies on scripts in each vm.
But if communication between your vms is essential and happens 24/7, it's maybe not the right solution.
Yeah, I also don't know how to setup this in Qubes OS, but I'm expecting that it is possible, will work and I'm able to research how to do it myself. It was just an idea I came up with and I must state that I'm surprised that you see no problems in doing that.
Maybe you've misunderstood me: I was not suggesting to put this ethernet-card to the Whonix Gateway, but to the workstation! So this way I'm completely circumventing your firewall - at least for the internal networking stuff. Maybe you understand now that I was surprised about your calm reaction.
P.S.: Maybe I'll ask the Qubes OS team if I'm allowed to re-write their networking-across-vms-page. I've read this suggestion between the lines in your comment. We'll see.