make default firewall policy drop

Our default firewall policy should be disallow anything that isn't explicitly accounted for.

based on looking at site_shorewall::defaults it seems like we allow things by default

(from redmine: created on 2013-07-02, relates #1983 (closed), relates #3339 (closed))