feat(firewall): firewall adjustments for cloud engine nodes

[pierugo-dfinity]

This PR adjusts the firewall to support cloud engine nodes. Cloud engine nodes (reward type: type4) have different trust assumptions and should (for now) be outside the firewall, i.e., not be able to talk to non-type4 nodes.
Here are the intended rules for each node type/role:

• A type4 API BN will not exist for now is configured just like a non-type4 API BN for now (see below). They should probably be configured differently in the future.
• An assigned/unassigned type4 node accepts traffic from all nodes. In particular, they need to accept incoming connections from regular API BNs to allow the latter to forward traffic. In the future, they could allow traffic from type4 nodes only, if type4 API BNs exist.
• An assigned/unassigned non-type4 node accepts traffic from all but type4 nodes. In particular, this means that a type4 API BN (should they exist) will not be able to connect to them.
• A non-type4 API BN will open their SOCKS proxy port only to (system) subnets or (app + verified app) subnets, depending if they are a system- or app-API BN respectively. Note that type4 nodes will thus not be able to connect to non-type4 API BN's SOCKS proxy.

Also,

• To affect current nodes as less as possible:
  • Nodes will not accept traffic from nodes that do not have a node record (this is already the case)
  • But they will accept it if the remote node does have a node record but not (or incorrect) reward type.
  • Nodes without a node record will allow traffic from all but type4 nodes, just like a non-type4 node.
• The HTTP adapter denies communication to all nodes (regardless of their type).

The golden tests have been greatly extended to test combinations of type4/non-type4 nodes as well as for unassigned nodes.