firewall:
  defaults:
    all:
      statement: accept
      matches: ~
      priority: 1000
      counter: True
    input: {}
    forward: {}
    output: {}
    nat_prerouting: {}
    nat_postrouting: {}
    nat6_prerouting: {}
    nat6_postrouting: {}
  chains:
    input:
      "statefull-invalid":
        matches: ct state invalid
        priority: 240
        statement: drop
      "statefull-accept":
        matches: ct state established,related
        priority: 250
      allow_localhost:
        matches: iif lo
        priority: 500
      allow_icmp:
        matches: ip protocol icmp
        priority: 500
      allow_icmp6:
        matches: ip6 nexthdr icmpv6
        priority: 500
      allow_ssh: tcp dport ssh
    output: {}
    forward:
      "statefull-invalid":
        matches: ct state invalid
        priority: 240
        statement: drop
      "statefull-accept":
        matches: ct state established,related
        priority: 250
    nat_prerouting: {}
    nat_postrouting: {}
    nat6_prerouting: {}
    nat6_postrouting: {}
  policies:
    input: drop
    output: accept
    forward: drop
  routing: False
  vars: {}