Installing k3s disables firewall port range unexpectedly

I’ve started playing around with k3s on my local machine today. It’s pretty straightforward and I managed to make a svelte app using the node adapter run in a deployment (it’s just a web server listening on port 3000). Then I’ve created a NodePort service that exposes that port 3000 on port 30005 on my localhost. Now I can reach my app under localhost:30005 as expected.

What I did not expect (and do not want without extra config) is that I can also reach that app under http://my-nixos-hostname:30005 from any device in my local network. That’s not cool, because I did not open that port in my firewall, and the config example for k3s suggests that if port opening is desired it should be done manually because the first snippet lists the line networking.firewall.allowedTCPPorts: k3s docs.

Other ports, like e.g. 5173, which is used when I run the app in dev mode outside of containerization remain inaccessible from other machines, like I’d expect.

It feels like simply enabling k3s in the config also opens the firewall for the port range that k3s uses for its connections. This is not documented, not expected (on my part) and a quick look into the package definition did not allow me to glean where/how it happens.

Can somebody confirm that this is indeed the case, comment on whether that is desired behavior, and possibly point me to where in nixpkgs that’s actually set up and how I might counteract it?


— Edit:
It’s not actually opening the entire port range. A running a service on port 30006 is not accessible from the local network. Apparently only the port specified in the Kubernetes Service is accessible. Which is even more strange, because that means that a K3s internal configuration is affecting my machine’s firewall. Should it be that way?

– Edit 2:
A similar issue seems to be known for docker and podman. This is really not cool. Any workarounds?