Enable the firewall.

Now that we have networking working, I can enable the firewall and confirm nothing breaks.
2026-01-01 10:21:36 -05:00 · 2026-01-01 10:21:36 -05:00 · 72084f1a7e
commit 72084f1a7e
parent 4024847954
4 changed files with 28 additions and 4 deletions
--- a/nix/kubernetes/README.org
+++ b/nix/kubernetes/README.org
@ -10,6 +10,12 @@
    { domain = "@users"; item = "rtprio"; type = "-"; value = 1; }
  ];
 #+end_src
+* IP Ranges
+|         | IPv4          | IPv6                                    |
+|---------+---------------+-----------------------------------------|
+| Pod     | 10.200.0.0/16 | 2620:11f:7001:7:ffff:eeee::/96          |
+| Service | 10.197.0.0/16 | fd00:3e42:e349::/112                    |
+| Node    | 10.215.1.0/24 | 2620:11f:7001:7:ffff:ffff:0ad7:0100/120 |
 * Healthcheck
 ** Check cilium status
 #+begin_src bash
--- a/nix/kubernetes/keys/scope.nix
+++ b/nix/kubernetes/keys/scope.nix
@ -246,6 +246,8 @@ makeScope newScope (
            "ipv4NativeRoutingCIDR" = "10.200.0.0/16";
            "ipv6NativeRoutingCIDR" = "2620:11f:7001:7:ffff::/80";

+            # TODO: Read and maybe apply https://docs.cilium.io/en/stable/operations/performance/tuning/
+
            # --set hostFirewall.enabled=true

            # --set 'ipam.operator.clusterPoolIPv4PodCIDRList=["10.0.0.0/8"]' \
--- a/nix/kubernetes/roles/debugging/default.nix
+++ b/nix/kubernetes/roles/debugging/default.nix
@ -27,7 +27,9 @@
      ldns # for drill
    ];

-    networking.firewall.enable = false; # TODO: This is just here for debugging / initial development.
-    # TODO: Maybe use networking.nftables.enable to switch to nftables?
+    # This can make debugging easier by rejecting packets instead of dropping them:
+    networking.firewall.rejectPackets = true;
+    # Log each rejected packet instead of just each connection.
+    networking.firewall.logRefusedPackets = true;
  };
 }
--- a/nix/kubernetes/roles/firewall/default.nix
+++ b/nix/kubernetes/roles/firewall/default.nix
@ -26,15 +26,29 @@
      "net.bridge.bridge-nf-call-iptables" = 1;
      "net.bridge.bridge-nf-call-ip6tables" = 1;
      "net.ipv4.ip_forward" = 1;
+
+      # Enable forwarding on all interfaces.
+      # "net.ipv4.conf.all.forwarding" = 1;
+      # "net.ipv6.conf.all.forwarding" = 1;
    };

+    networking.firewall.enable = false;
    networking.nftables.enable = true;
    # We want to filter forwarded traffic.
    # Also needed for `networking.firewall.extraForwardRules` to do anything.
    networking.firewall.filterForward = true;

-    # This can make debugging easier by rejecting packets instead of dropping them:
-    # networking.firewall.rejectPackets = true;
+    networking.firewall.extraInputRules = ''
+      ip6 saddr 2620:11f:7001:7:ffff:eeee::/96 accept
+      ip6 saddr fd00:3e42:e349::/112 accept
+      ip6 saddr 2620:11f:7001:7:ffff:ffff:0ad7:0100/120 accept
+    '';
+
+    networking.firewall.extraForwardRules = ''
+      ip6 daddr 2620:11f:7001:7:ffff:eeee::/96 accept
+      ip6 daddr fd00:3e42:e349::/112 accept
+      ip6 daddr 2620:11f:7001:7:ffff:ffff:0ad7:0100/120 accept
+    '';

    # Check logs for blocked connections:
    # journalctl -k or dmesg