Firewall for APT and Mirrors

Currently ACS is configured with a too thin grained firewall.

every single communication type has to be granted explicitly.

this is a problem in particular for package installation, as package managers rely on multiple mirrors that change often of have multiple IPs, etc.

A compromise would be to allow the APT user to use the internet on ports 80, 443