flush ruleset table inet firewall { chain inbound { # By default, drop all traffic unless it meets a filter # criteria specified by the rules that follow below. type filter hook input priority 0; policy drop; # Allow traffic from established and related packets. ct state established,related accept # Drop invalid packets. ct state invalid drop # Allow local connections. iifname lo accept iifname brlan accept # Allow all ICMP and IGMP traffic, but enforce a rate limit # to help prevent some types of flood attacks. ip protocol icmp limit rate 5/second accept ip protocol igmp limit rate 5/second accept ip6 nexthdr ipv6-icmp limit rate 5/second accept # required for dhcp-pd to work! udp dport dhcpv6-client accept # Allow some ports tcp dport ssh accept tcp dport http accept tcp dport https accept tcp dport 8443 accept comment "step-ca" tcp dport 22000 accept comment "syncthing" udp dport 21027 accept comment "syncthing" } chain forward { # By default, drop all traffic unless it meets a filter type filter hook forward priority 0; policy drop; tcp flags syn tcp option maxseg size set rt mtu # Allow traffic from established and related packets. ct state established,related accept # Drop invalid packets. ct state invalid drop # local clients can do whatever iifname brlan accept # Allow all ICMP and IGMP traffic, but enforce a rate limit # to help prevent some types of flood attacks. ip protocol icmp limit rate 5/second accept ip protocol igmp limit rate 5/second accept ip6 nexthdr ipv6-icmp limit rate 5/second accept # drop incomming netbios traffic tcp dport {139, 445} counter drop comment "silently drop NetBios" udp dport {137, 138} counter drop comment "silently drop NetBios" } chain outbound { # Allow all outbound traffic type filter hook output priority 0 policy accept } } table ip nat { chain prerouting { type nat hook prerouting priority -100 policy accept } chain postrouting { type nat hook postrouting priority srcnat + 1; policy accept; ip saddr 10.0.0.0/8 masquerade; } }