In Qubes, the network interfaces are loaded manually. Now that whonix_firewall is being started with the ifup-pre.d scripts, it is always starting early. I could remove it completely but that will cause upgrade issues.
It took me 3 hours to work around the file being there today. Most of the time was figuring out what was preventing connections to the gateways secure update server from the TemplateVM.
Normally, in the TemplateVM, I connect to the Gateway to confirm there is secure update server available. If there is, a proxy is set for apt-get and that is the only traffic allowed in the Template VM. If no server is available, I completely lock down the iptables rules. Whonix firewall rules were preventing the initial connection and I add to add some rule to allow outgoing connection to 10.137.255.254:8082.
I would prefer to be able to disable the loading of the firewall in the first place. I load it manually as well.
I also needed to make sure all the replace-ip functions were done well in advance of networking because of this.
One last issue I came across when reloading whonix_firewall was a locked iptables database since some other app had a lock on it at the time. In Jessie you can use iptables --wait ... to prevent this type of failure. This only happened once, but worth noting.