table inet firewall {

    chain input {
        type filter hook input priority 0; policy drop;

        # established/related connections
        ct state established,related accept

        # loopback + lxdbr0 interface
        iifname lo accept
        iifname lxdbr0 accept

        # icmp
        icmp type echo-request accept

        # allow mDNS
        udp dport mdns accept

        # allow SSH + GITEA + NGINX
        tcp dport {22, 2222, 80, 443} accept
    }

}