#!/usr/sbin/nft -f

flush ruleset

table inet firewall {
    chain inbound {
    	# By default, drop all traffic unless it meets a filter
    	# criteria specified by the rules that follow below.
        type filter hook input priority 0; policy drop;

        # Allow traffic from established and related packets.
        ct state established,related accept

        # Drop invalid packets.
        ct state invalid drop

        # Allow loopback traffic.
        iifname lo accept

        # Allow local vlan traffic.
        iifname eth1 accept

        # Allow all ICMP and IGMP traffic, but enforce a rate limit
        # to help prevent some types of flood attacks.
        ip protocol icmp limit rate 5/second accept
        ip6 nexthdr ipv6-icmp limit rate 5/second accept
        ip protocol igmp limit rate 5/second accept

        # Allow SSH on port 22.
        tcp dport 22 accept
    }

    chain forward {
        # Drop everything (assumes this device is not a router)
        type filter hook forward priority 0; policy drop;
    }

    chain outbound {
        # Allow all outbound traffic
        type filter hook output priority 0; policy accept;
    }

}

include "/etc/nftables.d/*.nft"