# ipv4/ipv6 Simple & Safe Firewall
# you can find examples at 
# https://wiki.archlinux.org/index.php/Nftables#Examples

# Atomic reload. 
#
# Table is flushed before new rules are applied.
# This is done within a single file
# meaning if you made a typo and new rules
# are invalid your old rules won't be flushed
add table inet simple_firewall
flush table inet simple_firewall


table inet simple_firewall {
  chain simple_input {
    # This comment explains the syntax of chain defintition.
    #
    # Chain type: filter
    #   Filter is default type of chain.
    #   It supports all hooks and all table families
    #
    # Hook type: input
    #   Input hook processes all incomming packets
    #
    # Priority: 0
    #   This determines the order of evaluation of
    #   chain on the same hook. Lower values are 
    #   evaluated first.
    type filter hook input priority 0
    # Default action is drop
    policy drop
    # Allow established/related connections
    ct state {established, related} accept

    # Early drop of invalid connections
    ct state invalid drop

    # Allow from loopback
    iifname lo accept

    # Allow icmp and icmpv6
    meta l4proto { icmp, ipv6-icmp } accept

    # Allow DHCPv6 incomming replies
    ip6 daddr fe80::/64 udp sport 547 udp dport 546 ct state { new, untracked } accept

    # Allow ssh
    tcp dport ssh accept

    # Everything else is rejected because of policy reject 
  }

  chain simple_forward {
    # This chain hooks to forwarded packets
    # Meaning it processes the packets
    # that we recieved but the destination
    # is a different address.
    #
    # If we were a router we would send those
    # packets to reciepient but we are 
    # end point.
    type filter hook forward priority 0

    policy drop
  }

}

# vim:set ts=2 sw=2 et: