make sys-whonix function as Qubes FirewallVM
Waiting for Qubes ticket [Implement new firewall dom0->VM interface](https://github.com/QubesOS/qubes-issues/issues/1815) to be implemented.
A sys-whonix currently does it's job as a ProxyVM, but not as a FirewallVM. It currently ignores QubesDB `qubes-iptables` entries. Therefore, for example, any TemplateVM using sys-whonix as its NetVM does not block the TemplateVM from using the open (torified) internet. (T372)
I wonder if this FirewallVM functionality should be implemented in Whonix?
Any suggestion on how to implement it without re-inventing qubes-core-agent-linux/network/qubes-firewall? Or refactoring the Qubes code so Whonix can just call the required portion of it?
For QVMM...* Therefore, for example, Could we somehow have multiple settings per VM?
- FirewallVMany TemplateVM using sys-whonix as its NetVM does not block the TemplateVM from using the open (torified) internet. (T372) (That will be solved once [set NetVM of TemplateVMs to none by default / make TemplateVMs non-networked by default](https://github.com/QubesOS/qubes-issues/issues/1858) gets implemented.)
If all three are set, Qubes would lead the traffic: VM -> ProxyVM -> FirewallVM -> NetVM?
Because there is also some confusion about the terminology..* Additional firewall rules in '[Firewall rules' tab](https://www.qubes-os.org/attachment/wiki/QubesFirewall/r2b1-manager-firewall.png) are ignored.
Users can currently configure the NetVM of any VM. I am wondering if we are overloading the terms.Any suggestion on how to implement it without re-inventing qubes-core-agent-linux/network/qubes-firewall? The NetVM is the VM that is primarily defined as a VM that has access to physical network hardware and that establishes actual network connections to the ISP.Or refactoring the Qubes code so Whonix can just call the required portion of it?
Currently a user could tell a story "I set the NetVM of my debian-8 TemplateVM to sys-whonix. And sys-whonix uses sys-firewall as its NetVM. And sys-firewall uses sys-net as its NetVM."-----
At the end it's like saying "setting the NetVM setting to the NetVM".Related:
Q: "What's your NetVM?"
A: "My sys-net or the NetVM of my VM?"* [mechanism to hide Qubes VM Manager 'Firewall rules' tab](https://github.com/QubesOS/qubes-issues/issues/1323)