The Qubes firewall is set for each qube.
So if you want to block a particular qube from accessing a site you make
a change in the firewall for that qube, and it is implemented in iptables
on the proxyVM upstream of the qube.
You have tried to set a rule on the firewallVM, and the error message is
telling you that sys-net does not act as a firewallVM.
If you want to block traffic FROM sys-firewall then you can set iptables
rules ON sys-firewall and set them from rc.local or
qubes-firewall-user-script in /rw/config.
Alternatively you can write custom rules in sys-net and implement them
there to block traffic from downstream qubes.
A major problem in doing this is that iptables acts on IP addresses. If
you want to block something like
doubleclick.net then you would
have to block all the IP addresses associated with that domain. An
alternative approach would be to make entries in /etc/hosts resolving
to a local address. This stops any DNS resolution and effectively blocks
access to the site. If you look online there are many examples of hosts
files that use this technique to block access to questionable sites.
hth
unman