diff --git a/resources/chaosknoten/router/nftables/current.conf b/resources/chaosknoten/router/nftables/current.conf
new file mode 100644
index 0000000..91d24a5
--- /dev/null
+++ b/resources/chaosknoten/router/nftables/current.conf
@@ -0,0 +1,38 @@
+#!/usr/sbin/nft -f
+
+# only flush tables managed by this file
+table inet filter
+flush table inet filter
+
+define LAN_IFS = {net0.2, net0.3}
+
+table inet filter {
+	chain input {
+		type filter hook input priority filter; policy drop;
+		ip protocol icmp accept
+		ip6 nexthdr icmpv6 accept
+		iifname lo accept
+		ct state related,established accept
+
+		tcp dport 22 accept
+		iifname $LAN_IFS tcp dport 53 counter accept
+		iifname $LAN_IFS udp dport 53 counter accept
+
+		iifname net0.3 udp dport 67 counter accept
+
+		iifname $LAN_IFS log prefix "[nftables] Inbound Denied: " counter drop
+	}
+	chain forward {
+		type filter hook forward priority filter; policy drop;
+		ct state related,established counter accept
+
+		meta nfproto ipv6 iifname $LAN_IFS oifname net2 counter accept
+		meta nfproto ipv4 iifname $LAN_IFS oifname net1 counter accept
+
+		#iifname net0.2 oifname net0.3 counter accept
+		iifname $LAN_IFS log prefix "[nftables] Forward Denied: " counter drop
+	}
+	chain output {
+		type filter hook output priority filter;
+	}
+}
diff --git a/resources/chaosknoten/tickets/docker_compose/compose.yaml.j2 b/resources/chaosknoten/tickets/docker_compose/compose.yaml.j2
index 057da55..5b9bde5 100644
--- a/resources/chaosknoten/tickets/docker_compose/compose.yaml.j2
+++ b/resources/chaosknoten/tickets/docker_compose/compose.yaml.j2
@@ -25,7 +25,7 @@ services:
       backend:
 
   pretix:
-    image: docker.io/pretix/standalone:2024.8@sha256:110bac37efa5f736227f158f38e421ed738d03dccc274dfb415b258ab0f75cfe
+    image: docker.io/pretix/standalone:2025.8@sha256:21048b37b641ff50320984fc80a9fdf84fbfb37efc7d28484e7ac3ab0e64537a
     command: ["all"]
     ports:
       - "8345:80"