Enable the firewall.

Now that we have networking working, I can enable the firewall and confirm nothing breaks.

nix/kubernetes/roles/debugging/default.nix

@@ -27,7 +27,9 @@
       ldns # for drill
     ];
 
-    networking.firewall.enable = false; # TODO: This is just here for debugging / initial development.
-    # TODO: Maybe use networking.nftables.enable to switch to nftables?
+    # This can make debugging easier by rejecting packets instead of dropping them:
+    networking.firewall.rejectPackets = true;
+    # Log each rejected packet instead of just each connection.
+    networking.firewall.logRefusedPackets = true;
   };
 }

nix/kubernetes/roles/firewall/default.nix

@@ -26,15 +26,29 @@
       "net.bridge.bridge-nf-call-iptables" = 1;
       "net.bridge.bridge-nf-call-ip6tables" = 1;
       "net.ipv4.ip_forward" = 1;
+
+      # Enable forwarding on all interfaces.
+      # "net.ipv4.conf.all.forwarding" = 1;
+      # "net.ipv6.conf.all.forwarding" = 1;
     };
 
+    networking.firewall.enable = false;
     networking.nftables.enable = true;
     # We want to filter forwarded traffic.
     # Also needed for `networking.firewall.extraForwardRules` to do anything.
     networking.firewall.filterForward = true;
 
-    # This can make debugging easier by rejecting packets instead of dropping them:
-    # networking.firewall.rejectPackets = true;
+    networking.firewall.extraInputRules = ''
+      ip6 saddr 2620:11f:7001:7:ffff:eeee::/96 accept
+      ip6 saddr fd00:3e42:e349::/112 accept
+      ip6 saddr 2620:11f:7001:7:ffff:ffff:0ad7:0100/120 accept
+    '';
+
+    networking.firewall.extraForwardRules = ''
+      ip6 daddr 2620:11f:7001:7:ffff:eeee::/96 accept
+      ip6 daddr fd00:3e42:e349::/112 accept
+      ip6 daddr 2620:11f:7001:7:ffff:ffff:0ad7:0100/120 accept
+    '';
 
     # Check logs for blocked connections:
     # journalctl -k or dmesg