From 550af6e21f08caee6a579779c87935bcc78145c6 Mon Sep 17 00:00:00 2001
From: Tristan PILAT <tpilat@evolix.fr>
Date: Wed, 18 Nov 2020 17:46:41 +0100
Subject: [PATCH] Change output default policy to drop

---
 minifirewall-start.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/minifirewall-start.sh b/minifirewall-start.sh
index e4fdee0..f758171 100755
--- a/minifirewall-start.sh
+++ b/minifirewall-start.sh
@@ -82,10 +82,10 @@ $NFT flush ruleset
 # Add a filter table
 $NFT add table inet minifirewall
 
-# Add the input, forward, and output base chains. The policy for input and forward will be to drop. The policy for output will be to accept.
+# Add the input, forward, and output base chains. The default policy will be to drop the traffic.
 $NFT add chain inet minifirewall minifirewall_input '{ type filter hook input priority 0 ; policy drop ; }'
 $NFT add chain inet minifirewall minifirewall_forward '{ type filter hook forward priority 0 ; policy drop ; }'
-$NFT add chain inet minifirewall minifirewall_output '{ type filter hook output priority 0 ; policy accept ; }'
+$NFT add chain inet minifirewall minifirewall_output '{ type filter hook output priority 0 ; policy drop ; }'
 
 # Add set with trusted IP addresses
 $NFT add set inet minifirewall minifirewall_trusted_ips '{ type ipv4_addr ; flags interval ;}'