security: firewall phase 2 (IPv6 egress controls + nftables compatibility)

[benvinegar]

Problem

Firewall setup/audit currently focuses on IPv4 iptables rules. On hosts with IPv6 enabled or nftables-first setups, outbound restrictions may be incomplete or harder to validate.

Proposed solution

• Extend firewall setup to cover IPv6 egress policy (ip6tables or nft equivalent).
• Add nftables-aware detection/configuration path where iptables compatibility is absent.
• Update security audit checks to validate whichever backend is active (iptables/ip6tables/nftables).
• Preserve current behavior as fallback for existing installs.

Helpful context

• bin/setup-firewall.sh currently programs iptables chain/rules only.
• bin/security-audit.sh firewall checks inspect iptables and /etc/iptables/rules.v4.
• Repo guidelines already allow distro-specific branches when reliability improves.