diff --git a/salt/dev/README.md b/salt/dev/README.md
index 9e3c2a1f..f554de69 100644
--- a/salt/dev/README.md
+++ b/salt/dev/README.md
@@ -6,6 +6,7 @@ Development environment in Qubes OS.
 
 * [Description](#description)
 * [Installation](#installation)
+* [Access Control](#access-control)
 * [Usage](#usage)
 
 ## Description
@@ -22,6 +23,10 @@ allows.
 sudo qubesctl top.enable dev
 sudo qubesctl --targets=tpl-dev,dvm-dev,dev state.apply
 sudo qubesctl top.disable dev
+proxy_target="$(qusal-report-updatevm-origin)"
+if test -n "${proxy_target}"; then
+  sudo qubesctl --skip-dom0 --targets="${proxy_target}" state.apply sys-net.install-proxy
+fi
 ```
 
 - State
@@ -31,9 +36,35 @@ sudo qubesctl state.apply dev.create
 sudo qubesctl --skip-dom0 --targets=tpl-dev state.apply dev.install
 sudo qubesctl --skip-dom0 --targets=dvm-dev state.apply dev.configure-dvm
 sudo qubesctl --skip-dom0 --targets=dev state.apply dev.configure
+proxy_target="$(qusal-report-updatevm-origin)"
+if test -n "${proxy_target}"; then
+  sudo qubesctl --skip-dom0 --targets="${proxy_target}" state.apply sys-net.install-proxy
+fi
 ```
 <!-- pkg:end:post-install -->
 
+The installation will make the Qusal TCP Proxy available in the `updatevm`
+(after it is restarted in case it is template based). If you want to have the
+proxy available on a `netvm` that is not deployed by Qusal, install the Qusal
+TCP proxy on the templates of your `netvm`:
+```sh
+sudo qubesctl --skip-dom0 --targets=TEMPLATE state.apply sys-net.install-proxy
+```
+
+Remember to restart the `netvms` after the proxy installation for the changes
+to take effect.
+
+## Access Control
+
+_Default policy_: `denies` `all` qubes from calling `qusal.ConnectTCP`
+
+Allow qube `dev` to `connect` to `github.com:22` via `disp-sys-net` but not to
+any other host or via any other qube:
+```qrexecpolicy
+qusal.ConnectTCP +github.com+22 dev @default allow target=disp-sys-net
+qusal.ConnectTCP *              dev @anyvm   deny
+```
+
 ## Usage
 
 The development qube `dev` can be used for:
diff --git a/salt/dev/create.sls b/salt/dev/create.sls
index d87a5e28..8dafc7cc 100644
--- a/salt/dev/create.sls
+++ b/salt/dev/create.sls
@@ -8,6 +8,7 @@ SPDX-License-Identifier: AGPL-3.0-or-later
 
 include:
   - .clone
+  - sys-net.show-updatevm-origin
 
 {% load_yaml as defaults -%}
 name: tpl-{{ slsdotpath }}
diff --git a/salt/dev/init.top b/salt/dev/init.top
index 79c4e7ee..5e86a83b 100644
--- a/salt/dev/init.top
+++ b/salt/dev/init.top
@@ -14,3 +14,6 @@ base:
     - dev.configure-dvm
   'dev':
     - dev.configure
+  '(I@qubes:type:template or I@qubes:type:standalone) and (G@kernel:Linux or G@kernel:*BSD)':
+    - match: compound
+    - sys-net.install-proxy
diff --git a/salt/sys-net/create.sls b/salt/sys-net/create.sls
index 25a2b0c4..70b55a9b 100644
--- a/salt/sys-net/create.sls
+++ b/salt/sys-net/create.sls
@@ -10,6 +10,7 @@ SPDX-License-Identifier: AGPL-3.0-or-later
 
 include:
   - .clone
+  - .show-updatevm-origin
 
 {% load_yaml as defaults -%}
 name: tpl-{{ slsdotpath }}
diff --git a/salt/sys-net/files/admin/bin/qusal-report-updatevm-origin b/salt/sys-net/files/admin/bin/qusal-report-updatevm-origin
new file mode 100755
index 00000000..0fc0e1f2
--- /dev/null
+++ b/salt/sys-net/files/admin/bin/qusal-report-updatevm-origin
@@ -0,0 +1,21 @@
+#!/bin/sh
+
+## SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+##
+## SPDX-License-Identifier: AGPL-3.0-or-later
+
+set -eu
+
+updatevm="$(qubes-prefs updatevm)"
+updatevm_class="$(qvm-prefs "${updatevm}" klass)"
+proxy_target=""
+case "${updatevm_class}" in
+  StandaloneVM) proxy_target="${updatevm}";;
+  AppVM) proxy_target="$(qvm-prefs "${updatevm}" template)";;
+  DispVM)
+    proxy_target="$(qvm-prefs "$(qvm-prefs "${updatevm}" template)" template)"
+    ;;
+esac
+if test -n "${proxy_target}"; then
+  echo "${proxy_target}"
+fi
diff --git a/salt/sys-net/show-updatevm-origin.sls b/salt/sys-net/show-updatevm-origin.sls
new file mode 100644
index 00000000..d70776e7
--- /dev/null
+++ b/salt/sys-net/show-updatevm-origin.sls
@@ -0,0 +1,14 @@
+{#
+SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+"{{ slsdotpath }}-get-updatevm-origin":
+  file.managed:
+    - name: /usr/local/bin/qusal-report-updatevm-origin
+    - source: salt://{{ slsdotpath }}/files/admin/bin/qusal-report-updatevm-origin
+    - mode: "0755"
+    - user: root
+    - group: root
+    - makedirs: True
diff --git a/salt/sys-net/show-updatevm-origin.top b/salt/sys-net/show-updatevm-origin.top
new file mode 100644
index 00000000..c8ac494e
--- /dev/null
+++ b/salt/sys-net/show-updatevm-origin.top
@@ -0,0 +1,10 @@
+{#
+SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+base:
+  'dom0':
+    - match: nodegroup
+    - sys-net.show-updatevm-origin