Redesign of the nft firewall based on an existing Ansible playbook for the same purpose.

etc-nftables.conf.d/nft-fw.conf

@@ -0,0 +1,22 @@
+# Host-specific configuration for nft-fw.
+# This file is read by /usr/local/sbin/fw-apply.
+#
+# Syntax: shell KEY=VALUE
+# Values "true/false" are parsed case-insensitively.
+
+# Interfaces / networks
+EXT_IF=eth0
+PRIV_IF=enp7s0
+PRIV_NET=172.20.0.0/21
+
+# Feature toggles
+ALLOW_SSH_PUBLIC_IN=true
+ALLOW_APT_PUBLIC_OUT=true
+
+# ICMP toggles
+ALLOW_ICMP4_PUBLIC=true
+ALLOW_ICMP6_PUBLIC=true
+
+# Force ICMPv6 essential types when EXT_IF is "in use" (SSH or APT enabled)
+FORCE_ICMP6_ESSENTIAL=true
+