table inet firewall {
	chain inbound_ipv4 {
		icmp type echo-request limit rate 5/second accept
	}

	chain inbound_ipv6 {
		icmpv6 type { nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
		icmpv6 type echo-request limit rate 5/second accept
	}

	chain inbound {
		type filter hook input priority filter; policy drop;
		ct state vmap { invalid : drop, established : accept, related : accept }
		tcp flags syn / fin,syn,rst,ack ct state new counter packets 0 bytes 0 drop
		iifname "lo" accept
		meta protocol vmap { ip : jump inbound_ipv4, ip6 : jump inbound_ipv6 }
		tcp dport { 22, 80, 443, 8000, 8200, 8883 } accept
		meta l4proto { tcp, udp } th dport 53 counter packets 0 bytes 0 accept comment "accept DNS"
		udp dport 1900 meta pkttype multicast limit rate 4/second burst 20 packets accept comment "Accept UPnP IGD port mapping reply"
		meta l4proto igmp meta nfproto ipv4 ip daddr 224.0.0.0/24 accept comment "accept IGMP"
		meta l4proto igmp meta nfproto ipv4 ip daddr 239.255.255.250 accept comment "accept IGMP digital radio"
		log prefix "[nftables] Inbound Denied: " counter packets 0 bytes 0 drop
	}

	chain forward {
		type filter hook forward priority filter; policy drop;
	}
}
table netdev filter {
	set blocklist_v4 {
		type ipv4_addr
		flags interval
		elements = { 10.0.0.0/8, 169.254.0.0/16,
			     172.16.0.0/12 }
	}

	chain ingress {
		type filter hook ingress device "enp8s0" priority -500; policy accept;
		ip frag-off & 8191 != 0 counter packets 0 bytes 0 drop
		ip saddr @blocklist_v4 counter packets 0 bytes 0 drop
		tcp flags fin,syn,rst,psh,ack,urg / fin,syn,rst,psh,ack,urg counter packets 0 bytes 0 drop
		tcp flags ! fin,syn,rst,psh,ack,urg counter packets 0 bytes 0 drop
		tcp flags syn tcp option maxseg size 1-535 counter packets 0 bytes 0 drop
	}
}