X-Git-Url: https://git.ao2.it/config/nftables.git/blobdiff_plain/d684d1e527c3554ae88b01d215d3a07d7606cbad..84a1da821bf306d06f68bf8896b1be0a2e70b421:/nftables-workstation.nft

diff --git a/nftables-workstation.nft b/nftables-workstation.nft
index fd227f5..c1ffd80 100644
--- a/nftables-workstation.nft
+++ b/nftables-workstation.nft
@@ -39,11 +39,8 @@ table inet filter {
     }
 
     chain input {
-        type filter hook input priority 0;
-
-        ct state established,related accept
-        ct state invalid drop
-        ct state new jump in-new
+        type filter hook input priority 0
+        policy drop
 
         iif lo accept
 
@@ -66,7 +63,7 @@ table inet filter {
             packet-too-big
         } accept
 
-        # Allow auto configuration support.
+        # Allow IPv6 Neighbor Discovery (RFC4861).
         ip6 nexthdr ipv6-icmp icmpv6 type {
             nd-router-advert,
             nd-router-solicit,
@@ -91,6 +88,11 @@ table inet filter {
         # Allow IGMPv3 queries.
         ip protocol igmp ip daddr 224.0.0.1 accept
 
+        # Stateful filtering for anything else.
+        ct state established,related accept
+        ct state invalid drop
+        ct state new jump in-new
+
         # Silently drop other incoming broadcast and multicast traffic.
         meta pkttype {broadcast, multicast} drop
 
@@ -123,13 +125,17 @@ table inet filter {
     }
 
     chain forward {
-        type filter hook forward priority 0;
+        type filter hook forward priority 0
+        policy drop
+
         limit rate 3/minute burst 10 packets log prefix "[FORWARD]: "
         counter reject
     }
 
     chain output {
-        type filter hook output priority 0;
+        type filter hook output priority 0
+        policy drop
+
         counter accept
     }
 }