This patch configures calico to help isolating the cluster from the rest
of the world by implementing host firewall rules. This should close
various ports that otherwise would be exposed to the outside world and
posing a risk.

It's important to note, that due to the usage of wireguard there are
some additional ports that must be opened for the whole setup to
function. If ports >40000 on UDP aren't open, the whole network will
die, apparently. At least that's what experimenting with this feature
has indicated.

Reference:
https://projectcalico.docs.tigera.io/security/kubernetes-nodes