feat(fw): Models + Repos für Firewall-v2 (6 Entities)

Models (internal/models/):
* FirewallAddressObject (host|network|range|fqdn)
* FirewallAddressGroup mit MemberIDs gorm:"-"-Slice
* FirewallService (proto+ports, builtin-Flag)
* FirewallServiceGroup mit MemberIDs
* FirewallRule (v2-Shape, src/dst nullable refs, exactly-one-of-Validation
  in Handler-Layer)
* FirewallNATRule (kind=dnat|snat|masquerade, alle nullable)

Repos (internal/services/firewall/, ein Paket):
* AddressObjectsRepo, AddressGroupsRepo (mit Members-Junction-Ops)
* ServicesRepo (refused Update/Delete für builtin=TRUE Rows),
  ServiceGroupsRepo
* RulesRepo, NATRulesRepo
Jeweils Standard-CRUD; Group-Repos handhaben Members atomic in einer
TX (Update ersetzt komplette Membership).

Handler + Renderer-Rewrite + Frontend folgen in den nächsten
Commits.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

internal/models/firewall_rule.go

@@ -0,0 +1,43 @@
+package models
+
+import "time"
+
+// FirewallRule is the v2 (Fortigate-style) policy row. Source and
+// destination each carry exactly one of:
+//   - <Side>AddressObjectID  → primitive address object
+//   - <Side>AddressGroupID   → address group
+//   - <Side>CIDR             → inline CIDR
+//   - all three nil          → "any"
+//
+// Same rule applies to ServiceObjectID / ServiceGroupID — exactly one
+// or both nil for "any service".
+//
+// Validation lives in the handler layer (DB doesn't enforce
+// "exactly one" because expressive CHECK constraints get unwieldy).
+type FirewallRule struct {
+	ID                  int64     `gorm:"primaryKey"                       json:"id"`
+	Name                *string   `gorm:"column:name"                      json:"name,omitempty"`
+	Priority            int       `gorm:"column:priority"                  json:"priority"`
+	Enabled             bool      `gorm:"column:enabled"                   json:"enabled"`
+	Action              string    `gorm:"column:action"                    json:"action"` // accept|drop|reject
+
+	SrcZone             string    `gorm:"column:src_zone"                  json:"src_zone"`
+	SrcAddressObjectID  *int64    `gorm:"column:src_address_object_id"     json:"src_address_object_id,omitempty"`
+	SrcAddressGroupID   *int64    `gorm:"column:src_address_group_id"      json:"src_address_group_id,omitempty"`
+	SrcCIDR             *string   `gorm:"column:src_cidr"                  json:"src_cidr,omitempty"`
+
+	DstZone             string    `gorm:"column:dst_zone"                  json:"dst_zone"`
+	DstAddressObjectID  *int64    `gorm:"column:dst_address_object_id"     json:"dst_address_object_id,omitempty"`
+	DstAddressGroupID   *int64    `gorm:"column:dst_address_group_id"      json:"dst_address_group_id,omitempty"`
+	DstCIDR             *string   `gorm:"column:dst_cidr"                  json:"dst_cidr,omitempty"`
+
+	ServiceObjectID     *int64    `gorm:"column:service_object_id"         json:"service_object_id,omitempty"`
+	ServiceGroupID      *int64    `gorm:"column:service_group_id"          json:"service_group_id,omitempty"`
+
+	Log                 bool      `gorm:"column:log"                       json:"log"`
+	Comment             *string   `gorm:"column:comment"                   json:"comment,omitempty"`
+	CreatedAt           time.Time `gorm:"column:created_at"                json:"created_at"`
+	UpdatedAt           time.Time `gorm:"column:updated_at"                json:"updated_at"`
+}
+
+func (FirewallRule) TableName() string { return "firewall_rules" }