Allow inbound UPD to any port >1023

Fix for some UPD connectivity issues with VOIP, torrents, and HTTP/3 (QUIC)

The problem is in ACL_WAN_INBOUND:

101 permit tcp any any established    ! ← TCP return traffic: OK
102 permit udp any eq 53 any gt 1023  ! ← Only DNS UDP returns: OK
998 deny ip any any log               ! ← Everything else: BLOCKED

TCP has the established keyword (checks ACK/RST flags), but UDP is stateless,
there's no equivalent established keyword for UDP.

So all return UDP traffic (torrents/uTP/DHT, VOIP/RTP, QUIC, etc.) gets denied by rule 998.

There are of course better solutions to this: reflexive ACLs / ZBFW / CBAC,
all three require the SEC-K9 (Security) license.

The fix then is to permit inbound UDP to ephemeral ports.

NAT itself already provides stateful-like protection for UDP.
When an internal host sends UDP out, NAT creates a translation entry.
Inbound UDP only gets un-NATted if it matches an active translation.
Unsolicited UDP with no matching NAT entry is silently dropped by NAT - it never reaches an internal host.

So the ACL's deny of return UDP was redundantly blocking traffic that NAT already handles.

It's safe (enough) because:

- NAT is the real gatekeeper - packets without a matching NAT translation entry are dropped before reaching any internal host
- The router itself doesn't expose UDP services on high ports (can use control-plane ACLs if paranoid)
- This is what every consumer router does - their "SPI firewall" for UDP is really just NAT translation table lookup

Author: serpro69