Cleaner Firewall configuration

Preparation

• Prepare a branch: puppet-tails!100+
• Deal with ant01/sib (check details of proposal above): sysadmin#17961+
• Add puppet-tirewall as a submodule.
• Merge: puppet-tails!100+
• Deploy changes in production, make sure Puppet, Icinga and VPN work.
• Include tails::profile::firewall in Dragon.

Deployment

• Private services:
  • Puppet Server
  • Icinga2 Master
  • APT proxy
  • Bitcoin
  • IM
• Public services:
  • BitTorrent
  • Tor
  • DNS
  • Rsync
  • Gitolite
  • E-mail
  • LimeSurvey
  • Weblate
  • APT
  • WWW
• Physical hosts:
  • Skink
  • Dragon
  • Iguana
  • Lizard
• Jenkins Orchestrator and Agents
• Stone → Deferred to #17975+

Follow-up

• Check whether we can ditch the current internal DNS resolution of {*.,}tails.boum.org and use the "public service" firewall configs instead. → Deferred to #17972+
• Filter Lizard's VPN port
• Decide what to do with Libvirt nwfilters -- Re-implement VM IP filtering
• puppet-tirewall!3+
• Fix tirewall dport in redirects (can't be an Array) :/
• Fix tirewall unit tests
• Remove hardcoded SSH accept rule (already exported by SSH profile)
• Fix Munin
• Consider having a placeholder website for occasional website downtimes → Deferred to tails#19298+
• Manually remove leftover Shorewall cron rule: /etc/cron.daily/shorewall_check