From c2ad46f8cac25b88ee414edd5948ff84aa4a1e2d Mon Sep 17 00:00:00 2001
From: Pit Kleyersburg <pitkley@googlemail.com>
Date: Sun, 7 Jan 2024 11:56:59 +0100
Subject: [PATCH] Suggest better defaults for `/etc/nftables.conf`

---
 docs/GETTING-STARTED-nftables.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/docs/GETTING-STARTED-nftables.md b/docs/GETTING-STARTED-nftables.md
index 5a5d46d0..10e8d536 100644
--- a/docs/GETTING-STARTED-nftables.md
+++ b/docs/GETTING-STARTED-nftables.md
@@ -74,6 +74,12 @@
     table inet filter {
         chain input {
             type filter hook input priority 0; policy drop;
+  
+            # Ensure local traffic is accepted still
+            iif lo accept
+            # Allow established connections (e.g. responses to outgoing traffic)
+            ct state { established, related } accept
+            # Allow incoming SSH connections
             tcp dport 22 accept
         }
         chain forward {