#!/usr/bin/nft -f
# vim:set ts=2 sw=2 et:

flush ruleset

table inet filter {
  chain input {
    type filter hook input priority 0; policy drop;

    # allow established/related connections
    ct state { established, related } accept

    # early drop of invalid connections
    ct state invalid drop

    # allow from loopback
    iifname lo accept

    # allow icmp
    ip protocol icmp accept
    ip6 nexthdr icmpv6 accept

    # allow mDNS
    udp dport 5353 accept

    # allow ssh
    tcp dport ssh accept
  }
}