fix: remove broken Signal firewall rules

As NFTables converts domain names to IPs on the first query, it is not
possible to depend on it to have a stable connection. Implementing a DNS
proxy configuration might still be difficult due to the use of CDNs.

salt/signal/README.md

@@ -40,17 +40,4 @@ sudo qubesctl state.apply signal.appmenus
 
 You may use different Signal accounts for different identities, such as
 personal, work or pseudonym. Maintain the `signal` qube pristine and clone it
-to the assigned domain, `personal-signal`, `work-signal`, `anon-signal`. If
-you don't maintain the qube pristine, you will have to apply the firewall
-rules manually.
-
-Signal might loose connectivity due to [upstream rotating IP
-addresses](https://support.signal.org/hc/en-us/articles/360007320291) with the
-use of [CDNs to evade
-blocking](https://signal.org/blog/looking-back-on-the-front/).
-You will have to reapply the firewall rules eventually.
-
-TODO: Is it worth using the firewall? If you allow all [cloudfront.net
-IPs](https://ip-ranges.amazonaws.com/ip-ranges.json) for region "GLOBAL", what
-is blocking an attacker from using that to host his malicious callback server?
-Recently (2023-11-11) signal stopped working with the current firewall.
+to the assigned domain, `personal-signal`, `work-signal`, `anon-signal`.

salt/signal/create.sls

@@ -8,7 +8,6 @@ SPDX-License-Identifier: AGPL-3.0-or-later
 
 include:
   - .clone
-  - .firewall
 
 {% load_yaml as defaults -%}
 name: tpl-{{ slsdotpath }}
@@ -52,6 +51,3 @@ features:
   - menu-items: "signal-desktop.desktop qubes-open-file-manager.desktop qubes-run-terminal.desktop qubes-start.desktop"
 {%- endload %}
 {{ load(defaults) }}
-
-{% from 'utils/macros/sync-appmenus.sls' import sync_appmenus with context -%}
-{{ sync_appmenus('tpl-' ~ sls_path) }}

salt/signal/init.top

@@ -8,7 +8,6 @@ base:
   'dom0':
     - match: nodegroup
     - signal.create
-    - signal.firewall
   'tpl-signal':
     - signal.install
   'signal':