Cleaner Firewall configuration

Preparation

• Prepare a branch: A better Firewall setup (puppet-tails!100 - merged)
• Deal with ant01/sib (check details of proposal above): Consider removing ant01 and sib from our shared... (#17961 - closed)
• Add puppet-tirewall as a submodule.
• Merge: A better Firewall setup (puppet-tails!100 - merged)
• Deploy changes in production, make sure Puppet, Icinga and VPN work.
• Include tails::profile::firewall in Dragon.

Deployment

• Private services:
  • Puppet Server
  • Icinga2 Master
  • APT proxy
  • Bitcoin
  • IM
• Public services:
  • BitTorrent
  • Tor
  • DNS
  • Rsync
  • Gitolite
  • E-mail
  • LimeSurvey
  • Weblate
  • APT
  • WWW
• Physical hosts:
  • Skink
  • Dragon
  • Iguana
  • Lizard
• Jenkins Orchestrator and Agents
• Stone → Deferred to Update the Puppet config of Stone, the masterle... (#17975 - closed)

Follow-up

• Check whether we can ditch the current internal DNS resolution of {*.,}tails.boum.org and use the "public service" firewall configs instead. → Deferred to Improve firewall config for connections from Je... (#17972 - closed)
• Filter Lizard's VPN port
• Decide what to do with Libvirt nwfilters -- Re-implement VM IP filtering
• Reject all ICMP except echo-request and echo-reply (puppet-tirewall!3 - merged)
• Fix tirewall dport in redirects (can't be an Array) :/
• Fix tirewall unit tests
• Remove hardcoded SSH accept rule (already exported by SSH profile)
• Fix Munin
• Consider having a placeholder website for occasional website downtimes → Deferred to Consider implementing mitigations for some of t... (tails#19298)
• Manually remove leftover Shorewall cron rule: /etc/cron.daily/shorewall_check