roles/common: minor change to firehol update script

They include bogons like 127.0.0.1 that should not be routed on the
public Internet, but this blocks local applications we proxy to.

roles/common/templates/update-firehol-nftables.sh.j2

@@ -28,11 +28,14 @@ if [[ -f "firehol_level1.netset" ]]; then
     firehol_level1_ipv4_list_temp=$(mktemp)
     firehol_level1_ipv4_set_temp=$(mktemp)
 
-    # Filter blank lines and comments
+    # Filter blank lines, comments, and bogons we use inside the LAN, DMZ, and
+    # for local services like systemd-resolved and others on localhost. Ideally
+    # these are blocked already at the WAN side by network administrators.
     cat firehol_level1.netset \
         | sed \
             -e '/^$/d' \
             -e '/^#.*/d' \
+            -e '/^127\.0\.0\.0\/8/d' \
         > "$firehol_level1_ipv4_list_temp"
 
     echo "Building firehol_level1-ipv4 set"