diff --git a/templates/nftables.j2 b/templates/nftables.j2
index 98f079c..961a489 100644
--- a/templates/nftables.j2
+++ b/templates/nftables.j2
@@ -78,15 +78,15 @@ table ip filter {
 
   # docker's user configurable forward hook chain
   chain DOCKER-USER {
-    iifname {{ vpn_interface }} ip saddr {{ vpn_subnet }} ip daddr {{ transmission_nginx_ip }} accept
-    iifname {{ vpn_interface }} ip saddr {{ vpn_subnet }} ip daddr {{ syncthing_nginx_ip }} accept
-    iifname {{ vpn_interface }} ip saddr {{ vpn_subnet }} ip daddr {{ radicale_nginx_ip }} accept
-    iifname {{ vpn_interface }} ip saddr {{ vpn_subnet }} ip daddr {{ mpd_app_ip }} accept
+    iifname {{ vpn_interface }} ip saddr {{ vpn_subnet }} ip daddr {{ transmission_nginx_ip }} accept comment "Transmission NGINX"
+    iifname {{ vpn_interface }} ip saddr {{ vpn_subnet }} ip daddr {{ syncthing_nginx_ip }} accept comment "Syncthing NGINX"
+    iifname {{ vpn_interface }} ip saddr {{ vpn_subnet }} ip daddr {{ radicale_nginx_ip }} accept comment "Radicale NGINX"
+    iifname {{ vpn_interface }} ip saddr {{ vpn_subnet }} ip daddr {{ mpd_app_ip }} accept comment "MPD app"
 
-    iifname {{ vpn_media_interface }} ip saddr {{ vpn_media_subnet }} ip daddr {{ jellyfin_nginx_ip }} accept
+    iifname {{ vpn_media_interface }} ip saddr {{ vpn_media_subnet }} ip daddr {{ jellyfin_nginx_ip }} accept comment "Jellyfin NGINX"
   }
 
   chain output {
-    type filter hook output priority filter;
+    type filter hook output priority filter; policy accept;
   }
 }