1 files changed, 19 insertions, 30 deletions

diff --git a/nftables.conf b/nftables.conf
index 2d306375809c..fe835b303914 100644
--- a/nftables.conf
+++ b/nftables.conf
@@ -1,38 +1,27 @@
 #!/usr/bin/nft -f
-# ipv4/ipv6 Simple & Safe Firewall
-# you can find examples in /usr/share/nftables/
+# vim:set ts=2 sw=2 et:
+
+# IPv4/IPv6 Simple & Safe firewall ruleset.
+# More examples in /usr/share/nftables/ and /usr/share/doc/nftables/examples/.
 
+table inet filter
+delete table inet filter
 table inet filter {
   chain input {
-    type filter hook input priority 0;
-
-    # allow established/related connections
-    ct state {established, related} accept
-
-    # early drop of invalid connections
-    ct state invalid drop
-
-    # allow from loopback
-    iifname lo accept
-
-    # allow icmp
-    ip protocol icmp accept
-    ip6 nexthdr icmpv6 accept
-
-    # allow ssh
-    tcp dport ssh accept
-
-    # everything else
-    reject with icmpx type port-unreachable
+    type filter hook input priority filter
+    policy drop
+
+    ct state invalid drop comment "early drop of invalid connections"
+    ct state {established, related} accept comment "allow tracked connections"
+    iifname lo accept comment "allow from loopback"
+    ip protocol icmp accept comment "allow icmp"
+    meta l4proto ipv6-icmp accept comment "allow icmp v6"
+    tcp dport ssh accept comment "allow sshd"
+    pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited
+    counter
   }
   chain forward {
-    type filter hook forward priority 0;
-    drop
-  }
-  chain output {
-    type filter hook output priority 0;
+    type filter hook forward priority filter
+    policy drop
   }
-
 }
-
-# vim:set ts=2 sw=2 et: