Debian now recommend to use nftables instead of the legacy iptables.
nftables best to be played with through firewalld, As gufw/ufw only for iptables.
Note: gufw can be used with nftables through backward compatibility iptables-nft but its recommended against and its not good way for the forward future.
have nftables and firewalld installed and enabled by default (cause nothing, no extra security by doing that but good packages to have by default).
Drop all incoming connections by default (good security practice).
Since kicksecure is for VMs or Bare metal usage closing all ports isnt bad practice. Only it will effect users who distromorphing a debian installed on server via remote tool like SSH.
Solutions to this issue:
Kicksecure is not meant for distro-morphing debian on server via remote tool ← thats not the goal of the project, Hence this is not an issue to solve to begin with. (one can use proxmox or VNC to Hypervisor or similar ideas to have kicksecure on outside servers)
Open only port 22 which is the default port of SSH and generally no body changing it. (Its debatable to whether its really useful to change it or not let alone its changed by many users)