X-Git-Url: https://git.ao2.it/config/nftables.git/blobdiff_plain/4fda8eab6d828b61ca4753cb2bc0c232578ffb90..a8a3ce6b575f8de21d2b325fbcb93e29ea51235a:/nftables-workstation.nft

diff --git a/nftables-workstation.nft b/nftables-workstation.nft
index 3f1f446..ecfb200 100644
--- a/nftables-workstation.nft
+++ b/nftables-workstation.nft
@@ -39,7 +39,8 @@ table inet filter {
     }
 
     chain input {
-        type filter hook input priority 0;
+        type filter hook input priority 0
+        policy drop
 
         ct state established,related accept
         ct state invalid drop
@@ -75,7 +76,8 @@ table inet filter {
         } ip6 hoplimit 255 accept
 
         # Allow multicast listener discovery on link-local addresses.
-        ip6 nexthdr ipv6-icmp icmpv6 type {
+        # RFC2710 specifies that a Hop-by-Hop Options header is used.
+        hbh nexthdr ipv6-icmp icmpv6 type {
             mld-listener-query,
             mld-listener-report,
             mld-listener-reduction
@@ -122,13 +124,17 @@ table inet filter {
     }
 
     chain forward {
-        type filter hook forward priority 0;
+        type filter hook forward priority 0
+        policy drop
+
         limit rate 3/minute burst 10 packets log prefix "[FORWARD]: "
         counter reject
     }
 
     chain output {
-        type filter hook output priority 0;
+        type filter hook output priority 0
+        policy drop
+
         counter accept
     }
 }