The Whonix gateway doesn’t (didnt?) provide the capability
to enforce firewall rules. One reason why I don’t use Whonix.
If you adopt the proposed solution of putting in an extra firewallVM,
you should be aware that traffic will then arrive at the WhonixGW
after NAT, so traffic from all connected qubes will arrive at the GW
showing the same originating IP - this will impact how Tor circuits are
built and used, and is almost certainly not what you want.