Correct firewall rules to only block wan interfaces

Currently the firewall rules have policy "drop" on the "inet" table the input chain. However, with ntf tables, an accept does not mean accept, it means it is sent to the next table, as a result, ports need to be opened in all tables.

We let kubernetes control the "ip" and "ip6" tables, which controls ACLs between pods. However, the default 'drop' policy in the 'inet' table can cause problems. This should be changed, so our own rules, only control that on those interfaces we want. The policy needs to be accepts and a drop on external interfaces.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

Admin message

Correct firewall rules to only block wan interfaces