I've noticed that the rules set in the Qubes firewall for VMs connected to sys-whonix are completely ignored. All traffic goes through. The Whonix wiki warns about it:

https://www.whonix.org/wiki/Qubes/Firewall#Whonix-Workstation_Firewall

Easy solution: create named disposable sys-whonix-fw based on Debian or Fedora (just like sys-firewall or sys-vpn-fw), then connect your VMs to sys-whonix-fw insteaad of sys-whonix. Now all traffic with be filtered by the Qubes firewall.