On Fri, Jan 12, 2024 at 03:52:46PM +0000, Tom Furie wrote: > other input/output rules that are interfering, but since you've abridged > your ruleset we have no way of knowing.
Sorry, wanted to include the full rulest an forgot. I've still have left off the "table ip nat" and "table ip filter" chains, I hope this is OK. #!/usr/sbin/nft -f flush ruleset table ip nat { ... } table ip filter { ... } table ip6 filter { chain input { type filter hook input priority 0; policy drop; ct state invalid counter drop comment "early drop of invalid packets" ct state {established, related} counter accept comment "accept all connections related to connections made by us" iif lo accept comment "accept loopback" iif != lo ip6 daddr ::1/128 counter drop comment "drop connections to loopback not coming from loopback" meta l4proto ipv6-icmp counter accept comment "accept all ICMP types" tcp dport 22 counter accept comment "accept SSH" tcp dport 25 counter accept comment "accept SMTP" tcp dport 53 counter accept comment "accept DNS" udp dport 53 counter accept comment "accept DNS" tcp dport 80 counter accept comment "accept HTTP" tcp dport 443 counter accept comment "accept HTTPS" counter comment "count dropped packets" } chain forward { type filter hook forward priority 0; policy drop; iifname ppp0 oifname en0 ct state established,related accept iifname en0 oifname ppp0 accept iifname en2 oifname ppp0 accept iifname ppp0 oifname en2 accept iifname en0 oifname en2 accept iifname en2 oifname en0 ct state established,related accept meta l4proto ipv6-icmp accept } }