All firewall protection to be moved to Subaru routers.

After discussion at the end of the MCS commissioning, we agreed to move all packet/traffic filtering to the Subaru network gear, and to remove iptables from but the physical and the virtual machines. The primary argument is that all filtering should be done in one place, where it is obvious what the effective rules are and who is responsible for them.

The rough idea is:

• allow Gen2 and ftp traffic from "Gen2" machines to VMs on two physical PFS machines. Operational redundancy comes from that.
• allow ssh connections to the top-level PFS machines: "mcs", "shell", others as they come up.
• default deny

The work is scheduled for the week immediately following the 2018-06 engineering run, and will be done or managed by Subaru CDM.