I just did a fresh install of Qubes and noticed that by default the update proxy for dom0 is sys-firewall, while for templates it’s sys-net.
What is the reason for this difference?
That is a good question.
The mechanisms are completely different.
Templates use tinyproxy, whereas dom0 use qubes-dom0-update (and
separate qvm-template).
The template proxy is set in /etc/qubes/policy.d/50-config-updates.policy
The dom0 proxy is set using qubes-prefs
Both can be set using the Qubes Global Config GUI.
Can be set to use the same qube, which need not be the defaults - which
is the first thing I do on a fresh install.
I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.