2 files changed, 24 insertions, 46 deletions

diff --git a/etc/nftables.conf b/etc/nftables.conf
index c7eada2..610aa7e 100644
--- a/etc/nftables.conf
+++ b/etc/nftables.conf
@@ -1,50 +1,24 @@
 #!/usr/bin/nft -f
-# Laptop firewall: default-deny inbound, allow outbound.
-# Scoped to `inet filter` so podman/netavark tables are preserved on reload.
+# vim:set ts=2 sw=2 et:
 
-destroy table inet filter
+# IPv4/IPv6 Simple & Safe firewall ruleset.
+# More examples in /usr/share/nftables/ and /usr/share/doc/nftables/examples/.
 
+destroy table inet filter
 table inet filter {
-    chain input {
-        type filter hook input priority filter; policy drop;
-
-        iif "lo" accept
-        ct state vmap { established : accept, related : accept, invalid : drop }
-
-        # IPv4 ICMP essentials
-        ip protocol icmp icmp type {
-            echo-request,
-            destination-unreachable,
-            time-exceeded,
-            parameter-problem
-        } accept
-
-        # IPv6 ICMP: NDP, PMTUD, echo, MLD
-        meta l4proto icmpv6 icmpv6 type {
-            destination-unreachable,
-            packet-too-big,
-            time-exceeded,
-            parameter-problem,
-            echo-request,
-            nd-router-solicit,
-            nd-router-advert,
-            nd-neighbor-solicit,
-            nd-neighbor-advert,
-            mld-listener-query,
-            mld-listener-report,
-            mld-listener-done,
-            mld2-listener-report
-        } accept
-
-        # DHCPv6 client
-        ip6 saddr fe80::/10 udp dport 546 accept
-    }
-
-    chain forward {
-        type filter hook forward priority filter; policy drop;
-    }
+  chain input {
+    type filter hook input priority filter
+    policy drop
 
-    chain output {
-        type filter hook output priority filter; policy accept;
-    }
+    ct state invalid drop comment "early drop of invalid connections"
+    ct state {established, related} accept comment "allow tracked connections"
+    iif lo accept comment "allow from loopback"
+    meta l4proto { icmp, icmpv6 } accept comment "allow icmp"
+    pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited
+    counter
+  }
+  chain forward {
+    type filter hook forward priority filter
+    policy drop
+  }
 }
diff --git a/etc/nix/nix.conf b/etc/nix/nix.conf
index eb24511..633422b 100644
--- a/etc/nix/nix.conf
+++ b/etc/nix/nix.conf
@@ -1,5 +1,9 @@
-# /etc/nix/nix.conf — daemon-wide Nix config.
-# Managed by chezmoi (etc/nix/nix.conf in dotfiles).
+#
+# https://nixos.org/manual/nix/stable/#sec-conf-file
+#
+
+# Unix group containing the Nix build user accounts
+build-users-group = nixbld
 
 # Enable `nix` CLI (vs legacy nix-* commands) and flakes.
 experimental-features = nix-command flakes