Sys firewall is a vm that sits between Sys net (providing network connectivity) and the "application qube" (say running a web browser).
It's separate so that:
- if sys-net is compromised, it can't access any of the app vms, as sys-firewall NAT's outgoing connections and blocks incoming connections.
if an appvm is compromised, it can't then simply remove any firewall rules preventing it from accessing the malware C&C servers.
Non graphical Sys Firewall
For basic firwall setups a non graphical qube would be fine for sys firewall, as there's no UI For the user to interact with by default. It also reduces resource consumption, and reduces the attack surface.
Disposable Sys Firewall
The default Sys firewall setup doesn't persist any state within the Qube itself (only via dom0), as such it makes a good candidate for being a disposable sys-firewall.