#!/usr/bin/nft -f

# ipv4 stateful firewall
table ip firewall {
  chain input {
    type filter hook input priority 0;

    # allow established/related connections
    ct state established,related accept

    # allow gre (before invalid drop for vpn)
    ip protocol gre accept # This is causing nft to crash at the moment

    # drop of invalid connections
    ct state invalid drop

    # allow from loopback
    iifname lo accept

    # allow icmp
    ip protocol icmp accept

    # allow the following tcp ports
    tcp dport { shilp, imap, submission, mysql, http, smtp, xbox, https, ssh, mountd, sunrpc, mshvlm, xmpp-client, undo-lm, personal-agent } accept

    # allow the following udp ports
    udp dport { domain, sunrpc } accept
  }
  chain forward {
    type filter hook forward priority 0;
    drop
  }
  chain output {
    type filter hook output priority 0;
  }
}