nixos/common/firewall.nix

{ config, pkgs, ... }:

{
  networking.firewall.enable = false;
  networking.nftables = {
    enable = true;
    ruleset = ''
      table inet filter {
        chain input {
          type filter hook input priority 0; policy accept;
        }

        chain forward {
          type filter hook forward priority 0; policy accept
        }

        chain output {
          type filter hook output priority 0; policy accept

          # Block outgoing mail traffic
          tcp dport {25, 465, 587} drop
        }
      }
    '';
  };
}