you might want to harden it a little more, although sys-net is considered untrusted anyways. another user freaked out recently when seeing listening processes not present using fedora. I noticed the same thing a while back but its easy to disable what you want yourself. Its also why I use fedora as my sys-net and firewall still, cause I feel the qubes team prolly hardened it better. But I could be wrong...
I would love to see a openbsd template just for the sys-net or firewall.
oh btw you can run debian with apparmor and there is profile for things like dhcpd. I actually consider sys-net untrusted and I use a fedora clone on that one. default fedora on the sys-firewall.