VHostLoom/firewall/nftables.conf.example

#!/usr/sbin/nft -f

flush ruleset

table inet filter {
  chain input {
    type filter hook input priority 0;

    iif lo accept
    ct state established,related accept

    ip protocol icmp accept
    ip6 nexthdr icmpv6 accept

    # SSH via ZeroTier only (interfaces starting with zt)
    iifname "zt+" tcp dport 22 accept

    # Public web via Traefik
    tcp dport { 80, 443 } accept

    # Example: AI services only accessible via ZeroTier
    iifname "zt+" tcp dport { 7860,8080,11434,8000,8501 } accept

    counter drop
  }

  chain forward {
    type filter hook forward priority 0;
    drop
  }

  chain output {
    type filter hook output priority 0;
    accept
  }
}