feat(net): nftables laptop firewall

Default-deny inbound, allow outbound. Scoped to 'inet filter' with 'destroy table' on reload so podman/netavark tables are preserved. - meta/base.txt: add nftables - systemd-units/system/base.txt: enable nftables.service - etc/nftables.conf: laptop ruleset (loopback, ct state, ICMP/ICMPv6 essentials, DHCPv6 client, default-drop input/forward, accept output) - etc/sysctl.d/99-sysctl.conf: rp_filter=2, no redirects, no source-route, log_martians - README.md: firewall section with reload caveat
author: sommerfeld <sommerfeld@sommerfeld.dev> 2026-05-13 13:43:22 +0100
committer: sommerfeld <sommerfeld@sommerfeld.dev> 2026-05-13 13:43:22 +0100
commit: ac0654daf06a9d01fd264d96c00c8ab47b90cb73 (patch)
tree: a52a85553116dbc671bf43a7414c34959ca0b8eb /systemd-units
parent: b459f8eef44afaab44e38b8a5946974a4d107301 (diff)
download: dotfiles-ac0654daf06a9d01fd264d96c00c8ab47b90cb73.tar.gz
dotfiles-ac0654daf06a9d01fd264d96c00c8ab47b90cb73.tar.bz2
dotfiles-ac0654daf06a9d01fd264d96c00c8ab47b90cb73.zip
1 files changed, 1 insertions, 0 deletions
diff --git a/systemd-units/system/base.txt b/systemd-units/system/base.txt
index 6f8582a..1e3af9b 100644
--- a/systemd-units/system/base.txt
+++ b/systemd-units/system/base.txt
@@ -9,6 +9,7 @@ paccache.timer
 acpid.service
 cpupower.service
 iwd.service
+nftables.service
 systemd-networkd.service
 systemd-networkd-wait-online.service
 tlp.service
author	sommerfeld <sommerfeld@sommerfeld.dev>	2026-05-13 13:43:22 +0100
committer	sommerfeld <sommerfeld@sommerfeld.dev>	2026-05-13 13:43:22 +0100
commit	ac0654daf06a9d01fd264d96c00c8ab47b90cb73 (patch)
tree	a52a85553116dbc671bf43a7414c34959ca0b8eb /systemd-units
parent	b459f8eef44afaab44e38b8a5946974a4d107301 (diff)
download	dotfiles-ac0654daf06a9d01fd264d96c00c8ab47b90cb73.tar.gz dotfiles-ac0654daf06a9d01fd264d96c00c8ab47b90cb73.tar.bz2 dotfiles-ac0654daf06a9d01fd264d96c00c8ab47b90cb73.zip