talexander/machine_setup
1
0
Fork 0
Code Issues Pull Requests Releases Activity

Enable the firewall.

Browse Source 
Now that we have networking working, I can enable the firewall and confirm nothing breaks.
This commit is contained in:
Tom Alexander 2026-01-01 10:21:36 -05:00 committed by Tom Alexander
parent 4024847954
commit 72084f1a7e
Signed by: talexander
GPG Key ID: 36C99E8B3C39D85F
4 changed files with 28 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
nix/kubernetes/README.org
View File

@ -10,6 +10,12 @@
{ domain = "@users"; item = "rtprio"; type = "-"; value = 1; } { domain = "@users"; item = "rtprio"; type = "-"; value = 1; }
]; ];
#+end_src #+end_src
* IP Ranges
| | IPv4 | IPv6 |
|---------+---------------+-----------------------------------------|
| Pod | 10.200.0.0/16 | 2620:11f:7001:7:ffff:eeee::/96 |
| Service | 10.197.0.0/16 | fd00:3e42:e349::/112 |
| Node | 10.215.1.0/24 | 2620:11f:7001:7:ffff:ffff:0ad7:0100/120 |
* Healthcheck * Healthcheck
** Check cilium status ** Check cilium status
#+begin_src bash #+begin_src bash

2
nix/kubernetes/keys/scope.nix
View File

@ -246,6 +246,8 @@ makeScope newScope (
"ipv4NativeRoutingCIDR" = "10.200.0.0/16"; "ipv4NativeRoutingCIDR" = "10.200.0.0/16";
"ipv6NativeRoutingCIDR" = "2620:11f:7001:7:ffff::/80"; "ipv6NativeRoutingCIDR" = "2620:11f:7001:7:ffff::/80";
# TODO: Read and maybe apply https://docs.cilium.io/en/stable/operations/performance/tuning/
# --set hostFirewall.enabled=true # --set hostFirewall.enabled=true
# --set 'ipam.operator.clusterPoolIPv4PodCIDRList=["10.0.0.0/8"]' \ # --set 'ipam.operator.clusterPoolIPv4PodCIDRList=["10.0.0.0/8"]' \

6
nix/kubernetes/roles/debugging/default.nix
View File

@ -27,7 +27,9 @@
ldns # for drill ldns # for drill
]; ];
networking.firewall.enable = false; # TODO: This is just here for debugging / initial development. # This can make debugging easier by rejecting packets instead of dropping them:
# TODO: Maybe use networking.nftables.enable to switch to nftables? networking.firewall.rejectPackets = true;
# Log each rejected packet instead of just each connection.
networking.firewall.logRefusedPackets = true;
}; };
} }

18
nix/kubernetes/roles/firewall/default.nix
View File

@ -26,15 +26,29 @@
"net.bridge.bridge-nf-call-iptables" = 1; "net.bridge.bridge-nf-call-iptables" = 1;
"net.bridge.bridge-nf-call-ip6tables" = 1; "net.bridge.bridge-nf-call-ip6tables" = 1;
"net.ipv4.ip_forward" = 1; "net.ipv4.ip_forward" = 1;
# Enable forwarding on all interfaces.
# "net.ipv4.conf.all.forwarding" = 1;
# "net.ipv6.conf.all.forwarding" = 1;
}; };
networking.firewall.enable = false;
networking.nftables.enable = true; networking.nftables.enable = true;
# We want to filter forwarded traffic. # We want to filter forwarded traffic.
# Also needed for `networking.firewall.extraForwardRules` to do anything. # Also needed for `networking.firewall.extraForwardRules` to do anything.
networking.firewall.filterForward = true; networking.firewall.filterForward = true;
# This can make debugging easier by rejecting packets instead of dropping them: networking.firewall.extraInputRules = ''
# networking.firewall.rejectPackets = true; ip6 saddr 2620:11f:7001:7:ffff:eeee::/96 accept
ip6 saddr fd00:3e42:e349::/112 accept
ip6 saddr 2620:11f:7001:7:ffff:ffff:0ad7:0100/120 accept
'';
networking.firewall.extraForwardRules = ''
ip6 daddr 2620:11f:7001:7:ffff:eeee::/96 accept
ip6 daddr fd00:3e42:e349::/112 accept
ip6 daddr 2620:11f:7001:7:ffff:ffff:0ad7:0100/120 accept
'';
# Check logs for blocked connections: # Check logs for blocked connections:
# journalctl -k or dmesg # journalctl -k or dmesg