--- /dev/null
+#!/usr/sbin/nft -f
+
+flush ruleset
+
+table inet filter {
+ chain input {
+ type filter hook input priority 0; policy drop;
+ iif lo accept comment "accept localhost traffic"
+ ct state invalid drop comment "drop invalid connections"
+ ct state established, related accept comment "accept traffic originated from us"
+ tcp dport 22 accept comment "accept SSH on default port"
+ tcp dport 25 accept comment "accept SMTP (allowing for STARTTLS); necessary for mail server to mail server banter, i.e. for receiving mails"
+ tcp dport 80 accept comment "accept HTTP; necessary for Certbot HTTP challenge"
+ tcp dport 465 accept comment "accept SMTPS; for mail user agent to mail server, i.e. for sending mails"
+ tcp dport 993 accept comment "accept IMAPS; for reading/downloading mails"
+ ip protocol icmp icmp type echo-request accept comment "accept ICMP for pinging"
+ }
+ chain forward {
+ type filter hook forward priority 0; policy drop;
+ }
+ chain output {
+ type filter hook output priority 0; policy accept;
+ }
+}