#!/usr/sbin/nft -f

flush ruleset

define port_dns = 53

define port_email_imap = 143
define port_email_managesieve = 4190
define port_email_pop3s = 995
define port_email_smtp_exchange = 25
define port_email_smtp_submission_starttls = 587

define port_http = 80
define port_https = 443

define port_irc_default = 6667
define port_irc_freenode_tls = 7000
define port_irc_tls = 6697

define port_ntp = 123

define port_prosody_clients = 5222
define port_prosody_servers = 5269

define port_quake3 = 27960

define port_quassel_core = 4242

define port_rsync = 873

define port_ssh = 48922

define port_torrent_opentracker = 6969

table inet filter {

  chain global {
    # stateful firewall on
    ct state established,related accept
    ct state invalid drop
    ip protocol icmp accept
    ip6 nexthdr icmpv6 accept
  }

  chain input {
    type filter hook input priority 0;
    policy drop;

    jump global

    # loopback
    iif lo accept

    tcp dport $port_dns accept
    udp dport $port_dns accept

    tcp dport { $port_email_imap , \
	        $port_email_managesieve , \
	        $port_email_smtp_exchange, \
	        $port_email_smtp_submission_starttls } accept

    tcp dport { $port_http, $port_https } accept

    tcp dport { $port_irc_tls } accept

    tcp dport { $port_prosody_clients, $port_prosody_servers } accept

    udp dport $port_quake3 accept

    tcp dport $port_ssh limit rate 15/minute burst 5 packets accept

    tcp dport $port_torrent_opentracker accept

    counter drop
  }

  chain output {
    type filter hook output priority 0;
    policy drop;

    jump global

    tcp dport $port_dns accept
    udp dport $port_dns accept

    tcp dport { $port_email_pop3s, $port_email_smtp_exchange } accept

    tcp dport { $port_http, $port_https } accept

    tcp dport { $port_irc_tls,  \
	        $port_irc_default, \
	        $port_irc_freenode_tls } accept

    udp dport $port_ntp accept

    tcp dport $port_prosody_servers accept

    tcp dport $port_rsync accept

    skuid { ww, neo } accept
  }
}