1 files changed, 50 insertions, 0 deletions

diff --git a/etc/nftables.conf b/etc/nftables.conf
new file mode 100644
index 0000000..c7eada2
--- /dev/null
+++ b/etc/nftables.conf
@@ -0,0 +1,50 @@
+#!/usr/bin/nft -f
+# Laptop firewall: default-deny inbound, allow outbound.
+# Scoped to `inet filter` so podman/netavark tables are preserved on reload.
+
+destroy table inet filter
+
+table inet filter {
+    chain input {
+        type filter hook input priority filter; policy drop;
+
+        iif "lo" accept
+        ct state vmap { established : accept, related : accept, invalid : drop }
+
+        # IPv4 ICMP essentials
+        ip protocol icmp icmp type {
+            echo-request,
+            destination-unreachable,
+            time-exceeded,
+            parameter-problem
+        } accept
+
+        # IPv6 ICMP: NDP, PMTUD, echo, MLD
+        meta l4proto icmpv6 icmpv6 type {
+            destination-unreachable,
+            packet-too-big,
+            time-exceeded,
+            parameter-problem,
+            echo-request,
+            nd-router-solicit,
+            nd-router-advert,
+            nd-neighbor-solicit,
+            nd-neighbor-advert,
+            mld-listener-query,
+            mld-listener-report,
+            mld-listener-done,
+            mld2-listener-report
+        } accept
+
+        # DHCPv6 client
+        ip6 saddr fe80::/10 udp dport 546 accept
+    }
+
+    chain forward {
+        type filter hook forward priority filter; policy drop;
+    }
+
+    chain output {
+        type filter hook output priority filter; policy accept;
+    }
+}