Regarding firewall, the discussion outcome is here: https://github.com/QubesOS/qubes-issues/issues/1815 (actually message linked from there). The idea is to:
- have updates proxy running over qrexec instead of TCP/IP, so template will not have its own netvm at all
- ease integration of “qubes firewall rules” with other firewalls (like Whonix one)
So, those are two (related) things: default rules for the template, not enforced by Whonix (will be solved by “1”), and AppVM firewall rules generally when Whonix gateway is in use (“2” will ease solving it, but itself will not be enough).
