I don’t know anything about firewalls and I’m not planning on blocking anything, but I will be making a VPN VM. If so is there any reason to have the firewall VM at all? And if not, should I simply make that into my VPN VM or would that be some kind of issue?
using kicksecure as a template for your AppVMs and
installing opensnitch inside your AppVMs
your threat model and decreasing your attack surface
PS: in what way do your iptables inside your AppVMs differ from your iptables inside sys-firewall? Anyway, I believe, sys-firewall fetches the updates for dom0, so that might be a reason to keep it.