#!/usr/sbin/nft -f

# only flush tables managed by this file
table inet filter
flush table inet filter

table inet filter {
	chain input {
		type filter hook input priority filter; policy drop;
		ip protocol icmp accept
		ip6 nexthdr icmpv6 accept
		iifname lo accept
		ct state related,established accept

		tcp dport 22 accept
		tcp dport 53 accept
		udp dport 53 accept

		tcp dport 9167 ip saddr 94.45.254.5 accept comment "allow monitoring access to unbound exporter stats"
	}
	chain forward {
		type filter hook forward priority filter; policy drop;
		ct state related,established counter accept
	}
	chain output {
		type filter hook output priority filter;
	}
}