diff --git a/salt/dev/README.md b/salt/dev/README.md
index 18897c27..2242e9e9 100644
--- a/salt/dev/README.md
+++ b/salt/dev/README.md
@@ -12,7 +12,8 @@ Development environment in Qubes OS.
 
 Setup a development qube named "dev". Defines the user interactive shell,
 installing goodies, applying dotfiles, being client of sys-pgp, sys-git and
-sys-ssh-agent.
+sys-ssh-agent. The qube has netvm but can reach remote servers if the policy
+allows.
 
 ## Installation
 
@@ -41,4 +42,9 @@ The development qube `dev` can be used for:
 - building programs;
 - signing commits, tags, pushes and verifying with split-gpg;
 - fetching and pushing to and from local qube repository with split-git; and
-- fetching and pushing to and from remote repository with split-ssh-agent.
+- fetching and pushing to and from remote repository with split-ssh-agent and
+  without direct network connection, you can open port to the desired SSH or
+  HTTP server.
+
+As the qube has no netvm, configure the `qusal.ConnectTCP` service to allow
+for it to communicate with a remote repository for example.
diff --git a/salt/sys-net/README.md b/salt/sys-net/README.md
index 5c30b680..5547ece4 100644
--- a/salt/sys-net/README.md
+++ b/salt/sys-net/README.md
@@ -59,6 +59,16 @@ sudo qubesctl state.apply sys-net.prefs
 You might need to install some firmware on the template for your network
 drivers. Check files/admin/firmware.txt.
 
+## Access control
+
+_Default policy_: every call is denied.
+
+Qube `dev` can ask to connect to `github.com:22` from `disp-sys-net`:
+```qrexecpolicy
+qusal.ConnectTCP +github.com+22 dev @default ask target=disp-sys-net
+qusal.ConnectTCP *              dev @anyvm   deny
+```
+
 ## Usage
 
 A network manager is provided in `sys-net`, from there you can manager Wi-Fi