feat(fw): Frontend /firewall mit 6 Tabs (Rules/NAT/Address-Objects/-Groups/Services/-Groups)

management-ui/src/pages/Firewall/:
* index.tsx — AntD Tabs default=Rules
* AddressObjects.tsx — Table + Modal (kind-Switch ändert Placeholder)
* AddressGroups.tsx — Members als Multi-Select aus Address-Objects
* Services.tsx — Builtin-Rows sind Edit/Delete-disabled mit Tooltip,
  Form blendet Port-Felder bei proto != tcp/udp aus
* ServiceGroups.tsx — analog AddressGroups
* Rules.tsx — Renderer mit object/group/cidr/any-Switch pro Seite
  + Service-Picker; Action+Zone als Tags in der Tabelle
* NATRules.tsx — kind-spezifische Form (DNAT braucht in_zone+dport,
  SNAT/MASQ braucht out_zone, MASQ verbietet target_addr)

Sidebar bekommt eigene Sektion "Sicherheit" mit FireOutlined-Icon
für /firewall. i18n de/en für alle 6 Tabs + Form-Labels.

Backend war schon im vorigen Commit fertig — diese Pages konsumieren
direkt /api/v1/firewall/{address-objects,address-groups,services,
service-groups,rules,nat-rules}. Renderer (nft aus den Joins) +
auto-apply folgen in den nächsten Commits — bis dahin sind die Rules
in der DB sichtbar aber noch nicht aktiv im Kernel.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

management-ui/src/i18n/locales/de/common.json

@@ -12,16 +12,76 @@
     "ipAddresses": "IP-Adressen",
     "ssl": "SSL-Zertifikate",
     "vpn": "VPN",
-    "firewall": "Firewall",
+    "firewall": "Firewall (v2)",
     "cluster": "Cluster",
     "settings": "Einstellungen",
     "section": {
       "overview": "Übersicht",
       "routing": "Routing",
       "network": "Netzwerk",
+      "security": "Sicherheit",
       "system": "System"
     }
   },
+  "fw": {
+    "title": "Firewall",
+    "intro": "Fortigate-Style: Regeln aus Zonen × Adress-Objekten/Gruppen × Services/Service-Gruppen × Action. NAT separat. Top-down, first-match.",
+    "tabs": {
+      "rules": "Regeln",
+      "nat": "NAT",
+      "addrObj": "Adress-Objekte",
+      "addrGrp": "Adress-Gruppen",
+      "services": "Services",
+      "svcGrp": "Service-Gruppen"
+    },
+    "ao": {
+      "name": "Name", "kind": "Typ", "value": "Wert", "description": "Beschreibung",
+      "add": "Adress-Objekt hinzufügen", "edit": "Adress-Objekt bearbeiten",
+      "deleteConfirm": "Adress-Objekt {{name}} wirklich löschen?"
+    },
+    "ag": {
+      "name": "Name", "members": "Mitglieder", "description": "Beschreibung",
+      "add": "Adress-Gruppe hinzufügen", "edit": "Adress-Gruppe bearbeiten",
+      "selectMembers": "Adress-Objekte wählen",
+      "deleteConfirm": "Adress-Gruppe {{name}} wirklich löschen?"
+    },
+    "svc": {
+      "name": "Name", "proto": "Protokoll", "ports": "Ports",
+      "portStart": "Port (Start)", "portEnd": "Port (Ende)",
+      "description": "Beschreibung", "builtinHint": "Vordefiniert — nicht editierbar",
+      "add": "Service hinzufügen", "edit": "Service bearbeiten",
+      "deleteConfirm": "Service {{name}} wirklich löschen?"
+    },
+    "sg": {
+      "name": "Name", "members": "Mitglieder", "description": "Beschreibung",
+      "add": "Service-Gruppe hinzufügen", "edit": "Service-Gruppe bearbeiten",
+      "selectMembers": "Services wählen",
+      "deleteConfirm": "Service-Gruppe {{name}} wirklich löschen?"
+    },
+    "rule": {
+      "name": "Name", "priority": "Priority", "enabled": "Aktiv", "log": "Logging",
+      "action": "Aktion", "src": "Quelle", "dst": "Ziel", "service": "Service",
+      "srcZone": "Quell-Zone", "dstZone": "Ziel-Zone",
+      "srcKind": "Quell-Typ", "dstKind": "Ziel-Typ",
+      "object": "Adress-Objekt", "group": "Adress-Gruppe",
+      "serviceKind": "Service-Typ", "serviceGroup": "Service-Gruppe",
+      "comment": "Kommentar",
+      "add": "Regel hinzufügen", "edit": "Regel bearbeiten",
+      "deleteConfirm": "Diese Regel wirklich löschen?"
+    },
+    "nat": {
+      "name": "Name", "priority": "Priority", "kind": "Typ", "enabled": "Aktiv",
+      "match": "Match", "target": "Ziel",
+      "inZone": "Eingangs-Zone", "outZone": "Ausgangs-Zone", "proto": "Protokoll",
+      "matchSrcCidr": "Source-CIDR (Match)", "matchDstCidr": "Dest-CIDR (Match)",
+      "matchDstCidrHint": "leer = jede dest-IP (z.B. öffentliche IP der Box)",
+      "dportStart": "Port (Start)", "dportEnd": "Port (Ende)",
+      "targetAddr": "Ziel-Adresse", "targetPortStart": "Ziel-Port (Start)", "targetPortEnd": "Ziel-Port (Ende)",
+      "comment": "Kommentar",
+      "add": "NAT-Regel hinzufügen", "edit": "NAT-Regel bearbeiten",
+      "deleteConfirm": "Diese NAT-Regel wirklich löschen?"
+    }
+  },
   "networks": {
     "title": "Netzwerk-Interfaces",
     "intro": "Verwalte WAN-, LAN-, VLAN- und Bond-Interfaces. Read-only-Discovery der Kernel-Interfaces oben; deklarierte Konfiguration unten — runtime-Apply via systemd-networkd folgt in einem späteren Release.",

management-ui/src/i18n/locales/en/common.json

@@ -19,9 +19,69 @@
       "overview": "Overview",
       "routing": "Routing",
       "network": "Network",
+      "security": "Security",
       "system": "System"
     }
   },
+  "fw": {
+    "title": "Firewall",
+    "intro": "Fortigate-style: rules built from zones × address objects/groups × services/service groups × action. NAT is separate. Top-down, first-match.",
+    "tabs": {
+      "rules": "Rules",
+      "nat": "NAT",
+      "addrObj": "Address objects",
+      "addrGrp": "Address groups",
+      "services": "Services",
+      "svcGrp": "Service groups"
+    },
+    "ao": {
+      "name": "Name", "kind": "Kind", "value": "Value", "description": "Description",
+      "add": "Add address object", "edit": "Edit address object",
+      "deleteConfirm": "Really delete address object {{name}}?"
+    },
+    "ag": {
+      "name": "Name", "members": "Members", "description": "Description",
+      "add": "Add address group", "edit": "Edit address group",
+      "selectMembers": "Select address objects",
+      "deleteConfirm": "Really delete address group {{name}}?"
+    },
+    "svc": {
+      "name": "Name", "proto": "Protocol", "ports": "Ports",
+      "portStart": "Port (start)", "portEnd": "Port (end)",
+      "description": "Description", "builtinHint": "Built-in — not editable",
+      "add": "Add service", "edit": "Edit service",
+      "deleteConfirm": "Really delete service {{name}}?"
+    },
+    "sg": {
+      "name": "Name", "members": "Members", "description": "Description",
+      "add": "Add service group", "edit": "Edit service group",
+      "selectMembers": "Select services",
+      "deleteConfirm": "Really delete service group {{name}}?"
+    },
+    "rule": {
+      "name": "Name", "priority": "Priority", "enabled": "Enabled", "log": "Log",
+      "action": "Action", "src": "Source", "dst": "Destination", "service": "Service",
+      "srcZone": "Source zone", "dstZone": "Dest. zone",
+      "srcKind": "Source kind", "dstKind": "Dest. kind",
+      "object": "Address object", "group": "Address group",
+      "serviceKind": "Service kind", "serviceGroup": "Service group",
+      "comment": "Comment",
+      "add": "Add rule", "edit": "Edit rule",
+      "deleteConfirm": "Really delete this rule?"
+    },
+    "nat": {
+      "name": "Name", "priority": "Priority", "kind": "Kind", "enabled": "Enabled",
+      "match": "Match", "target": "Target",
+      "inZone": "Ingress zone", "outZone": "Egress zone", "proto": "Protocol",
+      "matchSrcCidr": "Source CIDR (match)", "matchDstCidr": "Dest. CIDR (match)",
+      "matchDstCidrHint": "empty = any dest IP (e.g. box's public IP)",
+      "dportStart": "Port (start)", "dportEnd": "Port (end)",
+      "targetAddr": "Target address", "targetPortStart": "Target port (start)", "targetPortEnd": "Target port (end)",
+      "comment": "Comment",
+      "add": "Add NAT rule", "edit": "Edit NAT rule",
+      "deleteConfirm": "Really delete this NAT rule?"
+    }
+  },
   "networks": {
     "title": "Network interfaces",
     "intro": "Manage WAN, LAN, VLAN and bond interfaces. Read-only kernel discovery above; declared configuration below — runtime apply via systemd-networkd lands in a later release.",