table ip filter {
  chain input {
    # Drop all traffic by default.
    type filter hook input priority 0; policy drop;
    # Allow traffic from established connections.
    ct state vmap { established: accept, related: accept, invalid: drop }
    # Allow loopback traffic.
    iifname lo accept
    # Allow 8080 for occasional darkhttpd use.
    tcp dport 8080 accept
  }
}