changes to src/usr/lib64/python2.7/site-packages/qubes/modules/007FortressQubesProxyVm.py:

If the server VM gets firewall rules besides of "allow all", those rules were only honored for outgoing traffic in the original code.
The changed code also creates rules for incoming traffic in the proxy VM and in the server VM.

It may not be perfect, but it works for me.
btw, code is GPL