I get the same message (Couldn't match expected type `CGIT IO a0' with actual type `IO [String]'). I think I do understand where this message is coming from. But what can I do to fix it?
For now, you just correct the type of runRefreshFirewall; it should be
runRefreshFirewall :: String -> CGIT IO [String]
If you are intending to run actual IO actions in the real thing, you'll need to use liftIO to "reach" the IO embedded in the CGIT IO a.