It may be too specific, but it does have the benefit of being right.
If you have THIS:
sys-net - sys-firewall - firewall2 - qube
Then the rules for “qube” are enforced on firewall2, its netvm.
Firewall rules are processed on the immediate netvm.
In this case, sys-firewall doesn’t see any traffic from qube. It only
sees traffic that appears to come from firewall2.
sys-whonix breaks this model, because it doesn’t process firewall rules
So in this case:
sys-net - sys-firewall - sys-whonix - qube
NO firewall rules are implemented. (They are not written on
sys-firewall but cant be processed because traffic is encrypted - they
are not written at all.)
If you insert a new firewall:
sys-net - sys-firewall - sys-whonix - firewall2 - qube
Then you do get benefit of a firewall, but sys-whonix only sees
traffic that seems to originate from firewall2, which may do strange
(and unwanted) things to Tor circuits.