{ lib, ... }:
{
  networking.firewall = {
    enable = true;

    # NOTE: Configure manually with `extraCommands`.
    allowedTCPPortRanges = lib.mkForce [ ];
    allowedTCPPorts = lib.mkForce [ ];
    allowedUDPPortRanges = lib.mkForce [ ];
    allowedUDPPorts = lib.mkForce [ ];

    allowPing = true;
    rejectPackets = false; # Drop.

    logRefusedConnections = false;
    logRefusedPackets = false;
    logRefusedUnicastsOnly = true;
    logReversePathDrops = false;
  };
}