table inet firewall {

    chain input {
        type filter hook input priority 0; policy drop;

        # established/related connections
        ct state established,related accept

        # loopback + lxdbr0 interface
        iifname lo accept
        iifname lxdbr0 accept

        # icmp
        icmp type echo-request accept

        # allow SSH + GITEA + NGINX
        tcp dport {22, 2222, 80, 443} accept
        
        {%- if env.target == 'dev' %}
            {%- if env.desktop == 'true' %}

        # DESKTOP RULES BELOW
        # -------------------

        # allow mDNS
        udp dport mdns accept

                {%- if env.samba == 'true' %}

        # allow SAMBA
        udp dport netbios-ns accept comment "Accept NetBIOS Name Service (nmbd)"
        udp dport netbios-dgm accept comment "Accept NetBIOS Datagram Service (nmbd)"
        tcp dport netbios-ssn accept comment "Accept NetBIOS Session Service (smbd)"
        tcp dport microsoft-ds accept comment "Accept Microsoft Directory Service (smbd)"       
                {%- endif %}
 
                {%- if env.transmission_daemon == 'true' %}

        # allow TRANSMISSION-REMOTE
        tcp dport 9091 accept comment "Accept Transmission Remote Service"                
                {%- endif %}
            {%- endif %}
        {%- endif %}
    }

}