I see, i was unaware of that and will update the guide to remove the firewall part. as for your second statement, according to Qubes docs minimal templates, none. the point im making is that since sys-net is the only qube actually communicating with the ethernet controller (or router if youre on wifi) then its the only qube that an attacker could directly attack, minimizing the attack surface prevents the ways in which an attacker could go about penetrating into sys-net, and we’ve seen examples a few years ago with a user who was being targeted by israeli hackers, having his sys-net being infiltrated as we see here Forensics on sys-net (take his statements with a grain of salt though because some of what he says doesnt make sense)