feat(fw): Migration 0010 — Firewall-v2-Schema (Fortigate-Style)

Phase-1 firewall_rules (chain/match_expr raw nft) → Fortigate-Niveau:
* firewall_address_objects (host/network/range/fqdn)
* firewall_address_groups + members junction
* firewall_services (proto+port range, builtin-Flag)
* firewall_service_groups + members junction
* firewall_rules komplett umgebaut: src_zone+addr/group/cidr,
  dst_zone+addr/group/cidr, service_object_id ODER service_group_id,
  action accept|drop|reject, log-Flag, priority+enabled
* firewall_nat_rules (kind=dnat|snat|masquerade) als separate Tabelle

Zonen kommen aus network_interfaces.role (wan|lan|dmz|mgmt|cluster
+ pseudo-Zone 'any').

Builtin-Inserts: 18 Standard-Services (HTTP/HTTPS/SSH/DNS/SMTP-Familie/
DBs/RDP/WireGuard/Ping) plus 5 Service-Groups (Web, Mail-Submit,
Mail-Receive, DNS, Ping).

Renderer (internal/firewall/firewall.go) lässt firewall_rules-Query
für jetzt aus — Template fällt auf baseline + cluster-peer-set
zurück. Volle Render-Logik mit den neuen Joins kommt mit Task #44.

Models + Repos + Handlers + Frontend folgen in den nächsten Commits.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

internal/models/firewall_rule.go

@@ -1,17 +0,0 @@
-package models
-
-import "time"
-
-type FirewallRule struct {
-	ID        int64     `gorm:"primaryKey"          json:"id"`
-	Chain     string    `gorm:"column:chain"        json:"chain"`
-	Priority  int       `gorm:"column:priority"     json:"priority"`
-	MatchExpr string    `gorm:"column:match_expr"   json:"match_expr"`
-	Action    string    `gorm:"column:action"       json:"action"`
-	Comment   *string   `gorm:"column:comment"      json:"comment,omitempty"`
-	Active    bool      `gorm:"column:active"       json:"active"`
-	CreatedAt time.Time `gorm:"column:created_at"   json:"created_at"`
-	UpdatedAt time.Time `gorm:"column:updated_at"   json:"updated_at"`
-}
-
-func (FirewallRule) TableName() string { return "firewall_rules" }