feat(firewalld): configuration to open unprivileged ports by default (#719)

This PR configures firewalld to open unprivileged ports (1024-65535) by
default, matching Fedora Workstation's approach. This enables desktop
applications like LocalSend to work out of the box without requiring
manual firewall configuration.

## Changes Made

**Firewall Zone Configuration:**
- Added `FedoraWorkstation.xml` zone definition that allows TCP/UDP
ports 1024-65535
- Includes essential services: dhcpv6-client, ssh, samba-client
- Blocks privileged ports (1-1023) except for explicitly allowed
services

**System Configuration:**
- Set `FedoraWorkstation` as the default firewall zone in
`firewalld.conf`
- Added explicit firewalld package installation to ensure availability
- Enabled firewalld service to start automatically on boot

## Security Model

This maintains a secure-by-default approach while enabling desktop
functionality:
- ✅ All unprivileged ports (1024+) open for incoming connections
- ✅ Essential services (SSH, DHCP, Samba client) allowed
- ❌ Privileged ports (1-1023) blocked except for allowed services
- ❌ No changes to outgoing connection restrictions

## Benefits

Applications that will work out of the box:
- **LocalSend** - Cross-platform file sharing
- **Development servers** - Running on ports 8080, 3000, etc.
- **P2P applications** - Using dynamic high port ranges
- **Local media servers** - Network streaming applications

This brings Bluefin LTS in line with Fedora Workstation's user-friendly
firewall policy while maintaining the same security boundaries.

Fixes #715.

> [!WARNING]
>
> <details>
> <summary>Firewall rules blocked me from connecting to one or more
addresses (expand for details)</summary>
>
> #### I tried to connect to the following addresses, but was blocked by
firewall rules:
>
> - `cdn01.quay.io`
> - Triggering command: `podman build --build-arg MAJOR_VERSION=stream10
--build-arg IMAGE_NAME=bluefin --build-arg IMAGE_VENDOR=ublue-os
--build-arg ENABLE_DX=0 --build-arg ENABLE_GDX=0 --build-arg
ENABLE_HWE=0 --build-arg SHA_HEAD_SHORT=a708a00 --pull=newer --tag
bluefin:lts .` (dns block)
>
> If you need me to access, download, or install something from one of
these locations, you can either:
>
> - Configure [Actions setup
steps](https://gh.io/copilot/actions-setup-steps) to set up my
environment, which run before the firewall is enabled
> - Add the appropriate URLs or hosts to the custom allowlist in this
repository's [Copilot coding agent
settings](https://github.com/ublue-os/bluefin-lts/settings/copilot/coding_agent)
(admins only)
>
> </details>



<!-- START COPILOT CODING AGENT TIPS -->
---

💡 You can make Copilot smarter by setting up custom instructions,
customizing its development environment and configuring Model Context
Protocol (MCP) servers. Learn more [Copilot coding agent
tips](https://gh.io/copilot-coding-agent-tips) in the docs.

---------

Co-authored-by: copilot-swe-agent[bot] <[email protected]>
Co-authored-by: hanthor <[email protected]>
Co-authored-by: James Reilly <[email protected]>

Author: Copilot

build_scripts/20-packages.sh

@@ -11,6 +11,7 @@ dnf -y install \
 	buildah \
 	distrobox \
 	fastfetch \
+	firewalld \
 	fpaste \
 	fzf \
 	gnome-disk-utility \

build_scripts/40-services.sh

@@ -11,6 +11,7 @@ sed -i 's/#HandleLidSwitchExternalPower=.*/HandleLidSwitchExternalPower=suspend-
 sed -i 's/#SleepOperation=.*/SleepOperation=suspend-then-hibernate/g' /usr/lib/systemd/logind.conf
 systemctl enable brew-setup.service
 systemctl enable gdm.service
+systemctl enable firewalld.service
 systemctl enable fwupd.service
 systemctl --global enable podman-auto-update.timer
 systemctl enable ublue-countme.timer

system_files/etc/firewalld/firewalld.conf

@@ -0,0 +1,78 @@
+# firewalld config file
+
+# default zone
+# The default zone used if an empty zone string is used.
+# Default: public
+DefaultZone=Workstation
+
+# Minimal mark
+# Marks up to this minimum are free for use for example in the direct
+# interface. If more free marks are needed, increase the minimum
+# Default: 100
+#MinimalMark=100
+
+# Clean up on exit
+# If set to no or false the firewall configuration will not get cleaned up
+# on exit or stop of firewalld
+# Default: yes
+#CleanupOnExit=yes
+
+# Lockdown
+# If set to enabled, firewall changes with the D-Bus interface will be limited
+# to applications that are listed in the lockdown whitelist.
+# The lockdown whitelist file is lockdown-whitelist.xml
+# Default: no
+#Lockdown=no
+
+# IPv6_rpfilter
+# Performs a reverse path filter test on a packet for IPv6. If a reply to the
+# packet would be sent via the same interface that the packet arrived on, the
+# packet will match and be accepted, otherwise dropped.
+# The rp_filter for IPv4 is controlled using sysctl.
+# Default: yes
+#IPv6_rpfilter=yes
+
+# IndividualCalls
+# Do not use combined -restore calls, but individual calls. This increases the
+# time that is needed to apply changes and to start the daemon, but is good for
+# debugging.
+# Default: no
+#IndividualCalls=no
+
+# LogDenied
+# Add logging rules right before reject and drop rules in the INPUT, FORWARD
+# and OUTPUT chains for the default rules and also final reject and drop rules
+# in zones. Possible values are: all, unicast, broadcast, multicast and off.
+# Default: off
+#LogDenied=off
+
+# AutomaticHelpers
+# For the secure use of iptables and connection tracking helpers it is
+# recommended to turn AutomaticHelpers off. But this might have side effects on
+# other services. This setting can be overridden per zone using the
+# AutomaticHelpers zone setting. For more information on helpers and their
+# configuration, please have a look at the respective documentation.
+# Default: system
+#AutomaticHelpers=system
+
+# FirewallBackend
+# Selects the firewall backend implementation.
+# Choices are:
+#	- nftables (default)
+#	- iptables (iptables, ip6tables, ebtables and ipset)
+# Default: nftables
+#FirewallBackend=nftables
+
+# FlushAllOnReload
+# Flush all runtime rules on a reload. In previous releases some runtime
+# configuration was retained during a reload, namely; interface to zone
+# assignment, and direct rules. This was confusing to users. To get the old
+# behavior set this to "no".
+# Default: yes
+#FlushAllOnReload=yes
+
+# RFC3964_IPv4
+# As per RFC 3964, filter IPv6 over IPv4 tunnels (6to4).
+# This means we also filter protocol 41 and isatap.
+# Default: yes
+#RFC3964_IPv4=yes

system_files/usr/lib/firewalld/zones/Workstation.xml

@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="utf-8"?>
+<zone>
+  <short>Workstation</short>
+  <description>Unsolicited incoming network packets are rejected from port 1 to 1023, except for select network services. Incoming packets that are related to outgoing network connections are accepted. Outgoing network connections are allowed.</description>
+  <service name="dhcpv6-client"/>
+  <service name="ssh"/>
+  <service name="samba-client"/>
+  <port protocol="udp" port="1024-65535"/>
+  <port protocol="tcp" port="1024-65535"/>
+</zone>