Lock down the default firewall

roles/debian/files/nftables.conf

@@ -8,13 +8,13 @@ table inet filter {
 
 		# Accept any localhost and libvirt traffic.
 		iif "lo" accept
-		iifname "virbr0" accept
+		#iifname "virbr0" accept
 
 		# Accept traffic originated from us.
 		ct state established,related accept
 
 		# Open ports for public services.
-		tcp dport 22 ct state new accept  # SSH
+		#tcp dport 22 ct state new accept  # SSH
 
 		# ICMPv6 packets which must not be dropped, see https://tools.ietf.org/html/rfc4890#section-4.4.1
 		icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request, echo-reply, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, 148, 149 } accept
@@ -32,11 +32,12 @@ table inet filter {
 		type filter hook output priority filter; policy accept;
 	}
 }
-table ip nat {
-	chain postrouting {
-		type nat hook postrouting priority srcnat; policy accept;
 
-		# Masquerade NAT traffic (useful for VMs).
-		masquerade
-	}
-}
+#table ip nat {
+#	chain postrouting {
+#		type nat hook postrouting priority srcnat; policy accept;
+#
+#		# Masquerade NAT traffic (useful for VMs).
+#		masquerade
+#	}
+#}