fix(firmware): Three critical bugs found during MT3000 testing

1. Add yggdrasil init script (procd) — OpenWrt 25.x package doesn't
   include one, causing uci-defaults to fail on `/etc/init.d/yggdrasil
   enable` with set -e, leaving script in /etc/uci-defaults/ to re-run
   every boot and overwrite all config changes.

2. Delete default br-lan/lan before creating br-private — both bridges
   competing for eth0/eth1 port, preventing LAN cable access.

3. Per-device port mapping via /etc/parahub/port_map — filogic devices
   (MT3000, MT6000, WR3000) have eth0=WAN, eth1=LAN (opposite of
   qualcommax/ath79). Build.sh writes PORT_MAP, uci-defaults reads it.

Also: remove `set -e` from uci-defaults (too fragile for first-boot),
add SSH/HTTP firewall rules on yggdrasil zone for remote management.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

scripts/build.sh

@@ -23,36 +23,43 @@ device_config() {
             OPENWRT_TARGET="qualcommax/ipq60xx"
             PROFILE="glinet_gl-axt1800"
             FIRMWARE_ROLE="bumblebee"
+            PORT_MAP="eth0:lan eth1:wan"
             ;;
         mt3000)
             OPENWRT_TARGET="mediatek/filogic"
             PROFILE="glinet_gl-mt3000"
             FIRMWARE_ROLE="bumblebee"
+            PORT_MAP="eth0:wan eth1:lan"
             ;;
         mt6000)
             OPENWRT_TARGET="mediatek/filogic"
             PROFILE="glinet_gl-mt6000"
             FIRMWARE_ROLE="bumblebee"
+            PORT_MAP="eth0:wan eth1:lan"
             ;;
         ax53u)
             OPENWRT_TARGET="ramips/mt7621"
             PROFILE="asus_rt-ax53u"
             FIRMWARE_ROLE="bumblebee"
+            PORT_MAP="dsa"
             ;;
         ar300m16)
             OPENWRT_TARGET="ath79/generic"
             PROFILE="glinet_gl-ar300m16"
             FIRMWARE_ROLE="bee"
+            PORT_MAP="eth0:lan eth1:wan"
             ;;
         wr3000)
             OPENWRT_TARGET="mediatek/filogic"
             PROFILE="cudy_wr3000-v1"
             FIRMWARE_ROLE="bee"
+            PORT_MAP="eth0:wan eth1:lan"
             ;;
         cpe710)
             OPENWRT_TARGET="ath79/generic"
             PROFILE="tplink_cpe710-v1"
             FIRMWARE_ROLE="bee"
+            PORT_MAP="eth0:lan eth1:wan"
             ;;
         *)
             return 1
@@ -169,6 +176,7 @@ build_firmware() {
     echo "$FIRMWARE_ROLE" > "$tmpfiles/etc/parahub/role"
     echo "$OPENWRT_VERSION" > "$tmpfiles/etc/parahub/version"
     echo "$PROFILE" > "$tmpfiles/etc/parahub/profile"
+    echo "$PORT_MAP" > "$tmpfiles/etc/parahub/port_map"
 
     echo "Building firmware for profile: ${PROFILE}"
     echo "Role: ${FIRMWARE_ROLE}"